[cryptography] Chrome to drop CRL checking

=JeffH Jeff.Hodges at KingsMountain.com
Wed Feb 8 00:24:17 EST 2012


Taral <taralx at gmail.com> noted..
 >
 > On Tue, Feb 7, 2012 at 7:25 AM, Alexandre Dulaunoy <a at foo.be> wrote:
 >> $ ./crlset dump crl-set | wc -l
 >> 1656
 >>
 >> Maybe they use a bloomfilter-like format or something like that. But
 >> it seems that their current bundle is
 >> not matching the numbers of the revoked certificate especially the
 >> ones with a reason.
 >>
 >> Information about the Google CRLSet format is welcome.
 >
 > A glance at the code says the dump is of the form:
 >
 > spki hash
 >   serial
 >   serial
 >   serial
 >
 > And it looks like it's been updated:
 >
 > % ./crlset dump crlset | grep '^ ' | wc -l
 > 3809

note that one needs to do this sequence to get similar results as above (i.e. 
Taral's results)...

$ ./crlset fetch > foo

$ ./crlset dump foo | grep '^ ' | wc -l
3809


I.e. you need to actually fetch the latest update, then dump it. Otherwise 
you'll be stuck with your previous numbers, assuming you request dumping of the 
same file you've previously fetched to.

HTH,

=JeffH




More information about the cryptography mailing list