[cryptography] Chrome to drop CRL checking

Florian Weimer fw at deneb.enyo.de
Tue Feb 7 09:50:55 EST 2012


* Marcus Brinkmann:

> Certainly the privacy concern that Google expresses "because the CA
> learns the IP address of users and which sites they're visiting" does
> not extend to Google itself, which already has much more detailed
> information about its users.

The CRL check is also done locally (but some other security checks
aren't, admittedly).  And someone at Symantec actually look at the
OCSP logs:

<http://www.symantec.com/connect/blogs/more-two-billion-ocsp-lookups-single-day>

Unfortunately, CRLs have the same flaw as OCSP: it is impossible to
recover from most CA process failures because the CRL does not
actually pin down certificate contents and it is possible to have a
collision with a practically irrevocable certificate.



More information about the cryptography mailing list