[Cryptography] Verisimilitrust
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Jan 11 18:16:44 EST 2016
Ben Laurie <ben at links.org> writes:
>On 8 January 2016 at 01:09, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> Provide revocation info for certs - No, the browser vendor will.
>
>That's not actually true for most revocations, at least in Chrome (I don't
>know what other browsers do).
Hmm, the page you link to (which is one of the sources I used for my post)
says:
Online (i.e. OCSP and CRL) checks are not, generally, performed by Chrome.
and:
CRLSets (background) are primarily a means by which Chrome can quickly block
certificates in emergency situations. As a secondary function they can also
contain some number of non-emergency revocations.
That does look an awful lot like it's the browser vendor providing revocation
info for certs, not the CA. And it's the same with other browsers, the CA
publishes a CRL that's ignored by browsers, and if any critical revocation
(i.e. one that users actually care about, rogue CA certs, that sort of thing)
happens, it's handled by the browser vendors pushing out an
update/blacklist/whatever, not by a CA.
Peter.
More information about the cryptography
mailing list