i have to ask how/why would you be sending the user to said cdn supplier (via dns) in the first place for them to see said expired cert (plus warnings if client gives them)
i agree, user/owner sudden distrust of a previously trusted cdn is the worst possible reason to demand CAs provide a method to have insanely short (and thus more expensive to provide in terms of resources) certs available (renewal takes X resources, CA has resources to handle Y normal renewals per 90 days) based on letsencrypt terms a 2 day cert is x*45 times the resources thus ,to handle the same amount of customers 45 times the server capacity and bandwith to operate i would suggest for the few requiring/demanding their chosen cdn salt earth and delete all data when they leave policy instead pay the extra at start to have explicit personalised terms of service drawn up with their cdn supplier they will terminate/delete/purge all data within x hours or notification instead rather than making the CA (and cdn) work harder (not smarter) every day just so they (the owner) can have less hassle the 1 day they quit automation may make repetitive tasks easier, but its still never good to repeat tasks more often unnecessarily just because automation has made it possible/easy (especially as a cdn will normally have a maxed out san cert on each ip to enable swapping/loadbalancing reassigning domains to servers on the fly, and thus 1 customer demanding a 2 day renewal basically causes all to be 2 day renewal) at 17:38 25/07/2016 Monday, Yaron Sheffer wrote: >I think we are slowly but surely getting into the weeds on this one. When we >talk about "CDN revocation" (for lack of a better term), we mean that after a >certain date, the owner of the content: > >- Does not want the CDN, or a rogue employee of the CDN, to present the >content as an authoritative source. If the user sees a big browser warning, >that would *not* look authoritative. > >- Does not want the CDN to be able to MITM the site for more sensitive >traffic, such as POST messages that contain user passwords. > >Short-term certs would handle this use case just fine. > >And as a content owner, it's really nice to able to leave a CDN whenever I >want to, without having to rely on it to keep my secrets for a few more years >while we no longer have a business relationship. > >Thanks, > Yaron > >_______________________________________________ >Acme mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
