Make expiry non-overrideable for short-lived certificates

NEW
Unassigned

Status

()

Core
Security: PSM
P3
normal
2 years ago
5 months ago

People

(Reporter: gerv, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-backlog])

If a certificate is short-lived according to the definition in bug 1141189, I suggest it would be an improvement to make it so that revocation is non-overrideable.

"Revocation" for a short-lived certificate means letting it expire, and so we should treat expiry and revocation the same. Sites which opt in to using short-lived certs should know that rotating their certs in a timely fashion is important.

We may want to gate this on bugs which allow Firefox to have a better idea of what time it really is (as opposed to looking at the system clock, which can be wrong.) 

Gerv
Whiteboard: [psm-backlog]
This is probably blocked on us having a better idea of what time it is, independent of the user's system clock.
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.