[cabfpub] [cabfman] Behavior of browsers when there are 2 CRLDP

Ryan Sleevi sleevi at google.com
Mon Jan 13 10:17:15 UTC 2014


- IE on Windows - See
http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx

- Chrome does not fetch CRLs

- Safari on Windows - See
http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx

- Safari on OS X
  - Depends on your version of OS X (due to libsecurity versions)
  - 10.9 sources - see tpFetchViaGeneralNames (
http://opensource.apple.com/source/Security/Security-55471/libsecurity_apple_x509_tp/lib/TPNetwork.cpp)
   - For each general name, if it's http/ldap/https, try to fetch.
   - If "successful" (crtn == CSSM_OK), stop processing
   - Otherwise, continue downloading each GN

- Firefox
  - Depends if its an EV candidate
  - Current EV behaviour aborts AIA/CRL fetching after a single failure.
Bug is open to discuss changing. Amusingly, on successful fetches,
continues fetching every URL anyways. With failures masking successes.
Hence the bug.
  - Non-EV doesn't fetch CRLs.

Safari and IE basically continue trying until the first successful URL.
Firefox aborts on the first failure (which can mask successful fetches).

With Microsoft, Chrome, and Firefox generally moving away from CRLs, this
is less likely to be true in the future. That said, sticking local
responder URLs (in a lower/later sequence order) is not uncommon, judging
by the certs we've seen, and will only break clients with bugs.

On Fri, Jan 10, 2014 at 8:13 PM, Ryan Sleevi <sleevi at google.com> wrote:
>
>
>
>
> On Tue, Jan 7, 2014 at 7:42 AM, <michal.proszkiewicz at unizeto.pl> wrote:
>>
>>
>> Can anyone tell what is the behavior of different browsers when there
are two CRLDP in the certificate.
>>
>> The things that we are interested in are:
>> - is CRLDP address chosen randomly, first listed or maybe some other
way?
>> - if one address fail (ex. server timeout or 404 error) does browser try
another one, after what time?
>>
>> I know that Firefox won't be using CRL's at all in the near future, but
how does it look for the other browsers? (IE, Chrome, Safari, Opera)
>> What about mobile browsers, are they using CRL's at all?
>>
>> One of our enterprise customer asked for second CRLDP address (that will
be located in customers infrastructure) in the certificate and we are
researching if there is any point to make such change in the structure of
the certificate.
>>
>> Best regards,
>> -Michał Proszkiewicz
>> _______________________________________________
>> Management mailing list
>> Management at cabforum.org
>> https://cabforum.org/mailman/listinfo/management
>
>
> Happy to reply if you'd be comfortable discussing this on the public list.



On Tue, Jan 7, 2014 at 7:42 AM, <michal.proszkiewicz at unizeto.pl> wrote:

>
> Can anyone tell what is the behavior of different browsers when there are
> two CRLDP in the certificate.
>
> The things that we are interested in are:
> - is CRLDP address chosen randomly, first listed or maybe some other way?
> - if one address fail (ex. server timeout or 404 error) does browser try
> another one, after what time?
>
> I know that Firefox won't be using CRL's at all in the near future, but
> how does it look for the other browsers? (IE, Chrome, Safari, Opera)
> What about mobile browsers, are they using CRL's at all?
>
> One of our enterprise customer asked for second CRLDP address (that will
> be located in customers infrastructure) in the certificate and we are
> researching if there is any point to make such change in the structure of
> the certificate.
>
> Best regards,
> -Michał Proszkiewicz
> _______________________________________________
> Management mailing list
> Management at cabforum.org
> https://cabforum.org/mailman/listinfo/management


Happy to reply if you'd be comfortable discussing this on the public list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140113/783ea807/attachment-0003.html>


More information about the Public mailing list