> On Thursday, 15 August 2013 12:23:18 UTC+3, Gervase Markham wrote: > > On 14/08/13 07:09, Mikko Rantalainen wrote: > > > > > I'd say that such a bookmark would be highly probably safe, if that > > > bookmark did include fingerprint for the site public key (*not CA key > > > fingerprint*) and the browser did verify the fingerprint before > > > entering the site. > > > > Except that the bookmark would break with a scary warning whenever the > > site changed its key - i.e. once every two years. > > No. The site's public key does not need to be changed to request a new > certificate. CA signed certificate is technically a digital signature saying > that given public key signature belongs to a site. You can create a new > signature without changing the public key. The only reason CAs need to renew > the signatures in the first place is that they sign for limited time for > monetary purposes. (Officially CAs claim that the time limit is for security > purposes but why allow 2 year certs if time limit increases security?
Well the security argument is based on cryptanalysis due to traffic volume but it is especially annoying when firefox puts up a scary warning when you have a low traffic site and have doubled the recommended at the time key length, renew your dhparam often enough (if used) and don't have the time to update it immediately. >Why not issue a new signature every day and be done with broken revocation >lists?) Not sure what you mean here? -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
