[cryptography] Chrome to drop CRL checking

Alexandre Dulaunoy a at foo.be
Wed Feb 8 04:51:27 EST 2012


On Wed, Feb 8, 2012 at 1:34 AM, Taral <taralx at gmail.com> wrote:

> spki hash
>  serial
>  serial
>  serial

That was my guess too but I was surprised to the low numbers of serials
compared to the official public CRLs.

> And it looks like it's been updated:
>
> % ./crlset dump crlset | grep '^ ' | wc -l
> 3809

Until now (looking at the numbers of listed serials),
the fall-back to the CRL/OCSP should be still considered by Google.

Another point (even if OCSP is not very appropriate), OCSP was used
in "black-list" mode when DigiNotar discovered the breach to block
unknown/rogue certificate[1]. Still sometimes OCSP is useful.

See ya,

[1] http://isc.sans.edu/diary.html?storyid=11512

-- 
--                   Alexandre Dulaunoy (adulau) -- http://www.foo.be/
--                             http://www.foo.be/cgi-bin/wiki.pl/Diary
--         "Knowledge can create problems, it is not through ignorance
--                                that we can solve them" Isaac Asimov



More information about the cryptography mailing list