On Sun, Jul 24, 2016 at 6:03 PM, Chris Drake <[email protected]> wrote:
> Hi Eric, > > Every browser in the world lets you retrieve content despite any kind of > certificate problem, expiry included, so no, this idea will never be > suitable for CDN revocation. > This is not true. Most browsers will flag a full-screen certificate warning and not allow the user to proceed without clicking through scary text. Additionally, browsers that support HSTS will not allow users to click through these warnings at all, for origins which have a statically or dynamically set HSTS policy. In both cases, certificate expiration can deter user interaction with an origin. In the latter case, the barrier to user interaction with the website behind the expired certificate is very high. -- Eric
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
