[cryptography] Chrome to drop CRL checking
fw at deneb.enyo.de
Tue Feb 7 09:50:55 EST 2012
* Marcus Brinkmann:
> Certainly the privacy concern that Google expresses "because the CA
> learns the IP address of users and which sites they're visiting" does
> not extend to Google itself, which already has much more detailed
> information about its users.
The CRL check is also done locally (but some other security checks
aren't, admittedly). And someone at Symantec actually look at the
Unfortunately, CRLs have the same flaw as OCSP: it is impossible to
recover from most CA process failures because the CRL does not
actually pin down certificate contents and it is possible to have a
collision with a practically irrevocable certificate.
More information about the cryptography