On Fri, Sep 5, 2014 at 5:30 AM, Gervase Markham <g...@mozilla.org> wrote: > On 04/09/14 14:25, Rob Stradling wrote: >> When attempting to access an HTTPS site with an expired cert on Firefox >> 32, you'll see a "This Connection is Untrusted" page that lets you add >> an exception and proceed. >> >> But when attempting to access an HTTPS site with a revoked cert, you'll >> see "Secure Connection Failed" and Firefox 32 does NOT let you proceed. >> >> Would it make sense to treat expired certs in the same way as revoked >> certs? (And if not, why not?) > > Logically, it does make sense. In practice, revocation has a near-zero > false-positive rate, whereas expired sadly has a much greater > false-positive rate. Which is why Firefox treats them differently.
Which means that expired short lived certs probably need to be treated differently. We probably need to mark them in some way as being intended to be short lived. And we certainly need to fix the problem of getting them renewed efficiently. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
