Re: STS and lockCA

Gervase Markham wrote on 11/11/2009 6:28 AM: 
> On 11/11/09 08:57, Adam Barth wrote:
>> Why do we need a browser mechanism for that?  It seems like the site
>> can easily compute whatever max-age value it wishes to set.
> 
> Not to mention the fact that you normally don't actually want the LockCA
> to expire at exactly the same time as the cert, because you don't
> normally change certs over the second they expire! One would hope to be
> safely on the new cert a week or two before the expiry of the old one -
> at which point, the seeminly-simple "expire when cert expires" setting
> comes back to bite you.

Would LockCA prevent the site from loading if it encountered a new cert from the same CA?  Or are you talking about a site that wants to switch CAs and is using LockCA?

How about instead there's a way to set the max-age relative to the cert expiration?  So -3024000 is two weeks before the cert expiration and 3024000 is two weeks after.  I'm in agreement with Devdatta that it would be easy for someone to lock out their visitors, and I think this is easier to implement.


- Bil

Received on Wednesday, 11 November 2009 15:26:21 UTC