On Thursday, 15 August 2013 12:23:18 UTC+3, Gervase Markham wrote: > On 14/08/13 07:09, Mikko Rantalainen wrote: > > > I'd say that such a bookmark would be highly probably safe, if that > > bookmark did include fingerprint for the site public key (*not CA key > > fingerprint*) and the browser did verify the fingerprint before > > entering the site. > > Except that the bookmark would break with a scary warning whenever the > site changed its key - i.e. once every two years.
No. The site's public key does not need to be changed to request a new certificate. CA signed certificate is technically a digital signature saying that given public key signature belongs to a site. You can create a new signature without changing the public key. The only reason CAs need to renew the signatures in the first place is that they sign for limited time for monetary purposes. (Officially CAs claim that the time limit is for security purposes but why allow 2 year certs if time limit increases security? Why not issue a new signature every day and be done with broken revocation lists?) -- Mikko _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
