[cryptography] Chrome to drop CRL checking

Andy Steingruebl andy at steingruebl.com
Tue Feb 7 18:41:59 EST 2012


On Tue, Feb 7, 2012 at 6:05 AM, Marcus Brinkmann <
marcus.brinkmann at ruhr-uni-bochum.de> wrote:

>
>>
> That's a false dilemma.  You could also extract trust from your cache, ie
> your past experience with the same server (the SSH model), and/or from your
> past connections with the internet (CRL or monitoring servers differently
> from Google Chrome autoupdater).
>
> Langley doesn't state why he is limiting the options in this way.  It is
> probably a mix of cultural bias and technical reasons (performance, etc).
>
> In any case, the proposal still keeps an old-fashioned CRL around to check.
>
> Later on, Langley seems to want to replace the CRL with a positive proof
> of freshness:
>
> http://www.imperialviolet.org/**2011/11/29/certtransparency.**html<http://www.imperialviolet.org/2011/11/29/certtransparency.html>


You do realize that there is a lot of work going on in parallel to fix all
of this, and the current CRL distribution is yet one of many things they
are likely exploring, right?

I don't remember Adam saying in his blog post or in any other posts, etc.
 that this is the only change they will make to Chrome.  At the same time I
think they did get fairly tired or hard-coding a CRL list into the Chrome
binary itself for the CA breaches...

- Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120207/040a9735/attachment.html>


More information about the cryptography mailing list