[Cryptography] Verisimilitrust
Ben Laurie
ben at links.org
Tue Jan 12 00:28:47 EST 2016
On 11 January 2016 at 15:16, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Ben Laurie <ben at links.org> writes:
>
>>On 8 January 2016 at 01:09, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>>> Provide revocation info for certs - No, the browser vendor will.
>>
>>That's not actually true for most revocations, at least in Chrome (I don't
>>know what other browsers do).
>
> Hmm, the page you link to (which is one of the sources I used for my post)
> says:
>
> Online (i.e. OCSP and CRL) checks are not, generally, performed by Chrome.
>
> and:
>
> CRLSets (background) are primarily a means by which Chrome can quickly block
> certificates in emergency situations. As a secondary function they can also
> contain some number of non-emergency revocations.
Selective quoting for the win. It also says:
"We maintain an internal list of crawled CRLs. The CRLs from that set
go to make up the published CRLSet. For size reasons, the list doesn't
include all CRLs - EV CRLs and CRLs with good reason codes are taken
in preference. CRLs which cover intermediates are typically small and
valuable so we try to take as many as possible."
> That does look an awful lot like it's the browser vendor providing revocation
> info for certs, not the CA.
Only if you stop reading half way down the page.
> And it's the same with other browsers, the CA
> publishes a CRL that's ignored by browsers, and if any critical revocation
> (i.e. one that users actually care about, rogue CA certs, that sort of thing)
> happens, it's handled by the browser vendors pushing out an
> update/blacklist/whatever, not by a CA.
It is unsurprising that browser vendors are reluctant to rely on CAs
to revoke their own roots.
More information about the cryptography
mailing list