<p dir="ltr"><br>
- IE on Windows - See <a href="http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx">http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx</a></p>
<p dir="ltr">- Chrome does not fetch CRLs</p>
<p dir="ltr">- Safari on Windows - See <a href="http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx">http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx</a></p>
<p dir="ltr">- Safari on OS X<br>
- Depends on your version of OS X (due to libsecurity versions)<br>
- 10.9 sources - see tpFetchViaGeneralNames ( <a href="http://opensource.apple.com/source/Security/Security-55471/libsecurity_apple_x509_tp/lib/TPNetwork.cpp">http://opensource.apple.com/source/Security/Security-55471/libsecurity_apple_x509_tp/lib/TPNetwork.cpp</a> )<br>
- For each general name, if it's http/ldap/https, try to fetch.<br>
- If "successful" (crtn == CSSM_OK), stop processing<br>
- Otherwise, continue downloading each GN</p>
<p dir="ltr">- Firefox<br>
- Depends if its an EV candidate<br>
- Current EV behaviour aborts AIA/CRL fetching after a single failure. Bug is open to discuss changing. Amusingly, on successful fetches, continues fetching every URL anyways. With failures masking successes. Hence the bug.<br>
- Non-EV doesn't fetch CRLs.</p>
<p dir="ltr">Safari and IE basically continue trying until the first successful URL. Firefox aborts on the first failure (which can mask successful fetches).</p>
<p dir="ltr">With Microsoft, Chrome, and Firefox generally moving away from CRLs, this is less likely to be true in the future. That said, sticking local responder URLs (in a lower/later sequence order) is not uncommon, judging by the certs we've seen, and will only break clients with bugs.</p>
<p dir="ltr">On Fri, Jan 10, 2014 at 8:13 PM, Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<br>
><br>
><br>
><br>
><br>
> On Tue, Jan 7, 2014 at 7:42 AM, <<a href="mailto:michal.proszkiewicz@unizeto.pl">michal.proszkiewicz@unizeto.pl</a>> wrote:<br>
>><br>
>><br>
>> Can anyone tell what is the behavior of different browsers when there are two CRLDP in the certificate. <br>
>><br>
>> The things that we are interested in are: <br>
>> - is CRLDP address chosen randomly, first listed or maybe some other way? <br>
>> - if one address fail (ex. server timeout or 404 error) does browser try another one, after what time? <br>
>><br>
>> I know that Firefox won't be using CRL's at all in the near future, but how does it look for the other browsers? (IE, Chrome, Safari, Opera) <br>
>> What about mobile browsers, are they using CRL's at all? <br>
>><br>
>> One of our enterprise customer asked for second CRLDP address (that will be located in customers infrastructure) in the certificate and we are researching if there is any point to make such change in the structure of the certificate. <br>
>><br>
>> Best regards, <br>
>> -Michał Proszkiewicz<br>
>> _______________________________________________<br>
>> Management mailing list<br>
>> <a href="mailto:Management@cabforum.org">Management@cabforum.org</a><br>
>> <a href="https://cabforum.org/mailman/listinfo/management">https://cabforum.org/mailman/listinfo/management</a><br>
><br>
><br>
> Happy to reply if you'd be comfortable discussing this on the public list.<br></p>
<div class="gmail_quot<blockquote class=" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jan 7, 2014 at 7:42 AM, <span dir="ltr"><<a href="mailto:michal.proszkiewicz@unizeto.pl" target="_blank">michal.proszkiewicz@unizeto.pl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br><font face="sans-serif">Can anyone tell what is the behavior
of different browsers when there are two CRLDP in the certificate.</font>
<br>
<br><font face="sans-serif">The things that we are interested in
are:</font>
<br><font face="sans-serif">- is CRLDP address chosen randomly,
first listed or maybe some other way?</font>
<br><font face="sans-serif">- if one address fail (ex. server timeout
or 404 error) does browser try another one, after what time?</font>
<br>
<br><font face="sans-serif">I know that Firefox won't be using CRL's
at all in the near future, but how does it look for the other browsers?
(IE, Chrome, Safari, Opera)</font>
<br><font face="sans-serif">What about mobile browsers, are they
using CRL's at all?</font>
<br>
<br><font face="sans-serif">One of our enterprise customer asked
for second CRLDP address (that will be located in customers infrastructure)
in the certificate and we are researching if there is any point to make
such change in the structure of the certificate.</font>
<br>
<br><font face="sans-serif">Best regards,</font>
<br><font face="sans-serif">-Michał Proszkiewicz</font><br>_______________________________________________<br>
Management mailing list<br>
<a href="mailto:Management@cabforum.org" target="_blank">Management@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/management" target="_blank">https://cabforum.org/mailman/listinfo/management</a></blockquote><div><br></div><div>Happy to reply if you'd be comfortable discussing this on the public list.</div>
</div></div></div>
</div>