Hi Eric, Every browser in the world lets you retrieve content despite any kind of certificate problem, expiry included, so no, this idea will never be suitable for CDN revocation. Certificate expiry will take DAYS before anything at all happens, so no, this idea will never be suitable for CDN revocation *for sure*.
CDN revocation is itself a rare and silly use case to start with. Banks do not use special paper so that people rolling cigarettes out of them have less-carcinogenic experiences. Yes, it's a use case. No, it's not sensible. More people smoke tobacco through banknotes than will ever want to revoke CDN permissions in your use case. Imagine a bank which kept all it's money in a big pile on the street, with a post-it note stuck there saying "please do not take this money". This is what you are proposing with your idea. Maybe there's a valid use case for short-lived certs? This CDN one is not. Kind Regards, Chris Drake Monday, July 25, 2016, 1:00:02 AM, you wrote: On Sun, Jul 24, 2016 at 12:52 PM, Chris Drake <[email protected]> wrote: Hi Rich, > If the certificate expires, the browsers will ignore it. Yes, exactly, that is my point. Certificate expiry is a near-useless mechanism for CDN revocation. By "Ignore", I believe Rich meant "Reject". -Ekr Kind Regards, Chris Drake Sunday, July 24, 2016, 11:26:45 AM, you wrote: >> What happens to your content *after* you've changed your CDN is *not* a >> problem you can fix with certificates. SR> Gee, I thought I showed otherwise. SR> If the certificate expires, the browsers will ignore it. SR> Ok? _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
