- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 12 Nov 2009 01:08:00 -0800
- To: Bil Corry <bil@corry.biz>
- Cc: Gervase Markham <gerv@mozilla.org>, public-webapps@w3.org
On Wed, Nov 11, 2009 at 7:25 AM, Bil Corry <bil@corry.biz> wrote: > Would LockCA prevent the site from loading if it encountered a new cert from the same CA? My understanding is that it would not. > Or are you talking about a site that wants to switch CAs and is using LockCA? I think Gervase means that you want some overlap so that folks that connect to your site the day after you renew your certificate are protected. > How about instead there's a way to set the max-age relative to the cert expiration? So -3024000 is two weeks before the cert expiration and 3024000 is two weeks after. I'm in agreement with Devdatta that it would be easy for someone to lock out their visitors, and I think this is easier to implement. That seems overly complicated and contrary to the semantics of max-age in other HTTP headers. I'm not convinced we need to paternally second-guess site operators. Keep in mind that the site operator can supply a lower max-age in a subsequent request if they realize they screwed up and want to reduce the duration. That said, it might be worth caping the max-age at one or two years. Adam
Received on Thursday, 12 November 2009 09:09:00 UTC