On 21/07/16 12:03, Chris Drake wrote:
Hi Yaron,
The premise seems wrong:
These certificates allow the domain owner to terminate the TLS server's
authorization when necessary,
What that is technically true, it does not facilitate the *purpose* of
the termination (which would be to prevent continued CDN content
distribution) - clients can simply ignore the "expired certificate"
problem and still get the content.
Trying to build a kludge to use certificates where session keys should
be used instead seems a bad-idea(tm) to me.
Kind Regards,
Chris Drake
Hi Chris,
I am not following your reasoning: the CDN can *always* distribute
content under a fake or self-signed certificate, even if we have
real-time termination of its session keys. After all, it (usually) has a
full copy of the content!
Or are you saying that clients behave differently for expired vs.
self-signed certs? I am not sure that this is the case.
Thanks,
Yaron
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
