Eddy Nigg wrote:
[...] No exception can be added for revoked certificates, but for expired ones it's possible - hence it suggests that revocation is more severe than expired (if one can think in those terms). Or how would you explain that?
As I have already found myself in the situation of really needing to override an expired certificate, I beg to differ and find an explanation.
In the case of revoked certificates, you have positive proof that the CA wants that cert to be revoked.
In the case of expired certificates, you just don't know. So it leave the possibility that you have out of band information that the key is not compromised and that you should be able to access the site.
Another way of seeing this : The trouble here is that the Firefox SSL model mixes two things, telling me that the site is invalid, and letting me access it or not. Which as a consequence means that I sometimes need to override it whilst knowing the site is really invalid but I just need to access it despite that. The mail security model doesn't do that : I'll have a broken key but I'll still be able to read the mail even if the signature is invalid.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
