Nelson Bolyard wrote: > Gervase Markham wrote: >> Eddy Nigg (StartCom Ltd.) wrote: >>> The fact that connections to expired certificates are allowed by most if >>> not all browser vendors contributes to this problem, if this certificate >>> is removed from the CRL...than it's just an expired certificate which >>> was once valid, compared to a certificate which is actually revoked. >> Indeed. For Firefox 3, we plan to treat revoked and expired equally, >> preventing access in both cases. > > Gerv, I am SO delighted to hear that! > But, I have not heard (or read) it anywhere else. :-/
I just confirmed it with Johnathan, as he was sitting across from me when I wrote that response :-). > I gather that a lot of decisions about being made about the handling of > security errors and "overrides" for FF3, decisions that may change the way > things work significantly. I applaud that, especially if it results in > fewer security errors being overridable on the "spur of the moment" by > someone who is actively falling for a phishing attack.. > > But where are these decisions being recorded? Where can I go to read about > them, and try to keep up with them? It's a fair question. I agree that communication about the plans could be improved. I'll think about how best to do that. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
