Gervase Markham wrote: > Eddy Nigg (StartCom Ltd.) wrote: >> The fact that connections to expired certificates are allowed by most if >> not all browser vendors contributes to this problem, if this certificate >> is removed from the CRL...than it's just an expired certificate which >> was once valid, compared to a certificate which is actually revoked. > > Indeed. For Firefox 3, we plan to treat revoked and expired equally, > preventing access in both cases.
Gerv, I am SO delighted to hear that! But, I have not heard (or read) it anywhere else. :-/ I gather that a lot of decisions about being made about the handling of security errors and "overrides" for FF3, decisions that may change the way things work significantly. I applaud that, especially if it results in fewer security errors being overridable on the "spur of the moment" by someone who is actively falling for a phishing attack.. But where are these decisions being recorded? Where can I go to read about them, and try to keep up with them? /Nelson _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security