[cryptography] Chrome to drop CRL checking
a at foo.be
Wed Feb 8 04:51:27 EST 2012
On Wed, Feb 8, 2012 at 1:34 AM, Taral <taralx at gmail.com> wrote:
> spki hash
That was my guess too but I was surprised to the low numbers of serials
compared to the official public CRLs.
> And it looks like it's been updated:
> % ./crlset dump crlset | grep '^ ' | wc -l
Until now (looking at the numbers of listed serials),
the fall-back to the CRL/OCSP should be still considered by Google.
Another point (even if OCSP is not very appropriate), OCSP was used
in "black-list" mode when DigiNotar discovered the breach to block
unknown/rogue certificate. Still sometimes OCSP is useful.
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov
More information about the cryptography