[cryptography] Chrome to drop CRL checking
Jeff.Hodges at KingsMountain.com
Wed Feb 8 00:24:17 EST 2012
Taral <taralx at gmail.com> noted..
> On Tue, Feb 7, 2012 at 7:25 AM, Alexandre Dulaunoy <a at foo.be> wrote:
>> $ ./crlset dump crl-set | wc -l
>> Maybe they use a bloomfilter-like format or something like that. But
>> it seems that their current bundle is
>> not matching the numbers of the revoked certificate especially the
>> ones with a reason.
>> Information about the Google CRLSet format is welcome.
> A glance at the code says the dump is of the form:
> spki hash
> And it looks like it's been updated:
> % ./crlset dump crlset | grep '^ ' | wc -l
note that one needs to do this sequence to get similar results as above (i.e.
$ ./crlset fetch > foo
$ ./crlset dump foo | grep '^ ' | wc -l
I.e. you need to actually fetch the latest update, then dump it. Otherwise
you'll be stuck with your previous numbers, assuming you request dumping of the
same file you've previously fetched to.
More information about the cryptography