[cryptography] current status of SSL revocation support

travis+ml-rbcryptography at subspacefield.org travis+ml-rbcryptography at subspacefield.org
Thu Aug 26 17:28:20 EDT 2010


Perry didn't appear to forward this on to the list (I guess questions
are OT):

I got the impression, many years ago, that you couldn't rely on
systems to check revocation status, even if the system was online.

I was wondering what the current status was on this for the various
implementations (OpenSSL and NSS, in particular).

I think I saw in OpenSSL cert generation that you could optionally set
a CRL URL in CA certs, but I don't know what the mechanism is for
downloading that; if it's up to the client, I suppose you can't rely
on the client app to actually do it, and I wonder how failures would
get reported - making it a potential case where bit rot may not get
noticed.

I also recall, around the time of the 7th Usenix security symposium,
that there were various proposals for protocols to look up revoked
certs efficiently (they were also mentioned in Peter Gutmann's crypto
tutorial), but I haven't kept up on these.

Any links on the subject, or key management generally, would be much
appreciated.
-- 
It asked me for my race, so I wrote in "human". -- The Beastie Boys
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.

-- 
It asked me for my race, so I wrote in "human". -- The Beastie Boys
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20100826/22246315/attachment.asc>


More information about the cryptography mailing list