Rob Stradling:
Another option would be to make a (small? :-) modification to NSS to
allow us to store an expiry date which overrode the one in the certificate.
Good idea. That would be much less hassle (compared to my proposal) for both
the CAs and Mozilla.
Yes, that's perhaps a good thing to have anyway!
Whenever a key is found whose "soft_insecure_after_date" is in the past,
NSS/Firefox/etc would warn the user, but allow them to choose to navigate to
the HTTPS site if they really want to.
Whenever a key is found whose "hard_insecure_after_date" is in the past,
NSS/Firefox/etc would warn the user and refuse to allow them to navigate to
the HTTPS site.
We need to make sure that this wouldn't affect other products, mainly
Thunderbird. But also for web sites I'm not sure how good that would be
(the hard fail), just imagine the hosting panel uses a certificate of an
affected key and now the poor guy can't even get in there changing the
certificate.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto