[cabfpub] Request for details on CRL Sets

Rick Andrews Rick_Andrews at symantec.com
Tue Aug 27 11:14:23 MST 2013


Thanks, Adam, this helps. And Gerv, I hope you'll consider creating a similar page for Mozilla.

One typo: "The Chromium source code that implements CRLSets if, of course, public". "if" should be "is"

I have several questions (and I hope you'll update the page with answers, rather than just replying by email):

- Is there a way for a CA to know which of its CRLs are on your crawl list?

- Are CRLs that are signed by roots (consisting most likely of intermediate CAs signed by the root) treated differently from CRLs that are signed by intermediates?

- It seems like there are cases in which Chrome (with default options) will not check the status of an intermediate or end entity certificate:
  - If it's not an EV cert, and it's not covered by a fresh CRLSet (either because it hasn't gotten an update, or because its CRL was not on your crawl list, or because the CRL was too large)

Is that correct? I know that Google is very concerned about the latency of making a revocation check, but it sounds to me like we have no visibility into which certs are checked for revocation and which are not. Do you have any concerns about that?

-Rick

> -----Original Message-----
> From: Adam Langley [mailto:agl at google.com]
> Sent: Tuesday, August 27, 2013 8:18 AM
> To: Rick Andrews
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Request for details on CRL Sets
> 
> On Mon, Aug 26, 2013 at 7:18 PM, Rick Andrews
> <Rick_Andrews at symantec.com> wrote:
> > The rest of your email is very helpful, but it's in an email. It may
> be difficult to locate later, and it may be impossible for future CABF
> members to find. Couldn't you just create a 'knowledge base' article
> somewhere (akin to Microsoft's Knowledge Base, or Mozilla's wiki), and
> keep it up to date? I don't think that's too much to ask. It could even
> be on the CABF wiki, although that isn't accessible outside of CABF
> members.
> 
> I've essentially copy-pasted the contents of that email into
> https://sites.google.com/a/chromium.org/dev/Home/chromium-
> security/crlsets,
> which can serve as a more canonical reference if you have need of one.
> 
> 
> Cheers
> 
> AGL


More information about the Public mailing list