[cabfpub] Request for details on CRL Sets

Adam Langley agl at google.com
Tue Aug 27 18:56:55 UTC 2013

On Tue, Aug 27, 2013 at 2:14 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> One typo: "The Chromium source code that implements CRLSets if, of course, public". "if" should be "is"

Thanks, done.

> I have several questions (and I hope you'll update the page with answers, rather than just replying by email):

Am updating the page with each of these answers.

> - Is there a way for a CA to know which of its CRLs are on your crawl list?

A CA can just ask me privately. Since some have expressed a desire to
keep this information private I'm erring on the side of caution and
not including Symantec's in public here but I'll do so if you wish.

> - Are CRLs that are signed by roots (consisting most likely of intermediate CAs signed by the root) treated differently from CRLs that are signed by intermediates?

No, although CRLs signed by roots are typically small and useful to
have so we'll include them where we can.

> - It seems like there are cases in which Chrome (with default options) will not check the status of an intermediate or end entity certificate:
>   - If it's not an EV cert, and it's not covered by a fresh CRLSet (either because it hasn't gotten an update, or because its CRL was not on your crawl list, or because the CRL was too large)
> Is that correct? I know that Google is very concerned about the latency of making a revocation check, but it sounds to me like we have no visibility into which certs are checked for revocation and which are not. Do you have any concerns about that?

Yes, that's correct. In the original blog post I outlined that the
steps of the reasoning, that a) soft-fail checks aren't useful for
security with HTTPS, b) we need a mechanism for emergency revocations.
Including CRLs in the emergency revocation mechanism was an idea which
has had mixed results, but it wasn't a substitute for online checks.
The decision to stop doing online checks stands alone, even without
CRLSets. The only exception is the EV badge, which requires a
hard-fail check and so is meaningful. Originally the hope was to
include all EV CRLs in the CRLSet since the set of EV CAs is much
smaller. However, that hasn't worked out for size reasons and so we
have the online fallback for EV certs. Whether the online checks are
worthwhile for EV certs isn't terribly clear, but it's what we're
doing for now.



More information about the Public mailing list