Open Bug 1221033 Opened 9 years ago Updated 2 years ago

Make expiry non-overrideable for short-lived certificates

Tracking

()

Status:

NEW

People

(Reporter: gerv, Unassigned)

Details

(Whiteboard: [psm-backlog])

Gervase Markham [:gerv]

Reporter

Description

•

9 years ago

If a certificate is short-lived according to the definition in bug 1141189, I suggest it would be an improvement to make it so that revocation is non-overrideable.

"Revocation" for a short-lived certificate means letting it expire, and so we should treat expiry and revocation the same. Sites which opt in to using short-lived certs should know that rotating their certs in a timely fashion is important.

We may want to gate this on bugs which allow Firefox to have a better idea of what time it really is (as opposed to looking at the system clock, which can be wrong.) 

Gerv

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Updated

•

8 years ago

Whiteboard: [psm-backlog]

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Comment 1

•

7 years ago

This is probably blocked on us having a better idea of what time it is, independent of the user's system clock.

Priority: -- → P3

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Make expiry non-overrideable for short-lived certificates

Categories

(Core :: Security: PSM, defect, P3)

Tracking

()

People

(Reporter: gerv, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated