[cryptography] Chrome to drop CRL checking
andy at steingruebl.com
Tue Feb 7 18:41:59 EST 2012
On Tue, Feb 7, 2012 at 6:05 AM, Marcus Brinkmann <
marcus.brinkmann at ruhr-uni-bochum.de> wrote:
> That's a false dilemma. You could also extract trust from your cache, ie
> your past experience with the same server (the SSH model), and/or from your
> past connections with the internet (CRL or monitoring servers differently
> from Google Chrome autoupdater).
> Langley doesn't state why he is limiting the options in this way. It is
> probably a mix of cultural bias and technical reasons (performance, etc).
> In any case, the proposal still keeps an old-fashioned CRL around to check.
> Later on, Langley seems to want to replace the CRL with a positive proof
> of freshness:
You do realize that there is a lot of work going on in parallel to fix all
of this, and the current CRL distribution is yet one of many things they
are likely exploring, right?
I don't remember Adam saying in his blog post or in any other posts, etc.
that this is the only change they will make to Chrome. At the same time I
think they did get fairly tired or hard-coding a CRL list into the Chrome
binary itself for the CA breaches...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography