W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: STS and lockCA

From: Bil Corry <bil@corry.biz>
Date: Wed, 11 Nov 2009 07:25:52 -0800
Message-ID: <4AFAD780.3000504@corry.biz>
To: Gervase Markham <gerv@mozilla.org>
CC: Adam Barth <w3c@adambarth.com>, public-webapps@w3.org
Gervase Markham wrote on 11/11/2009 6:28 AM: 
> On 11/11/09 08:57, Adam Barth wrote:
>> Why do we need a browser mechanism for that?  It seems like the site
>> can easily compute whatever max-age value it wishes to set.
> 
> Not to mention the fact that you normally don't actually want the LockCA
> to expire at exactly the same time as the cert, because you don't
> normally change certs over the second they expire! One would hope to be
> safely on the new cert a week or two before the expiry of the old one -
> at which point, the seeminly-simple "expire when cert expires" setting
> comes back to bite you.

Would LockCA prevent the site from loading if it encountered a new cert from the same CA?  Or are you talking about a site that wants to switch CAs and is using LockCA?

How about instead there's a way to set the max-age relative to the cert expiration?  So -3024000 is two weeks before the cert expiration and 3024000 is two weeks after.  I'm in agreement with Devdatta that it would be easy for someone to lock out their visitors, and I think this is easier to implement.


- Bil
Received on Wednesday, 11 November 2009 15:26:21 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT