[cabfpub] Chrome revocation checking problem

Erwann Abalea erwann.abalea at opentrust.com
Mon Mar 30 07:04:28 MST 2015 

Bonjour,

I'm not sure it's something to discuss here, but since you brought the 
subject...

Chrome doesn't use the CRLs, they are replaced with CRLSet, since 2012. 
Your DVCA isn't in the current CRLSet.
CRLSet involves crawling CRLs and extracting useful entries. The 
usefulness depends on the revocation reason, and the security risk 
associated with the declared reason.

The dvcasha2.crl CRL contains a lot of certificates revoked with an 
"unspecified" reason code, and that's the reason used for this 
particular certificate. I don't know if Google takes those reason codes 
as security risks.

Take a look at RFC5280:
-----
5.3.1.  Reason Code

    The reasonCode is a non-critical CRL entry extension that identifies
    the reason for the certificate revocation.  CRL issuers are strongly
    encouraged to include meaningful reason codes in CRL entries;
    however, the reason code CRL entry extension SHOULD be absent instead
    of using the unspecified (0) reasonCode value.
-----

If you remove the "unspecified" reason code to comply with the SHOULD, 
and Google takes your CRL into consideration to build the CRLSet, then 
those certificates will surely be declared as revoked (no indicated 
reason is considered risky for the CRLSet build process, last time I 
checked).


You SHOULD really take a look at the content of your CRLs when they come 
from the same CA and are signed by a different key with different 
algorithms.
For example, spacesslca.crl and spacesslcasha2.crl, or evca.crl and 
evca2.crl. They don't contain the same information, yet are all 4 
unpartitioned and complete CRLs for 2 CAs.

-- 
Erwann ABALEA

Le 30/03/2015 13:29, michal.proszkiewicz at unizeto.pl a écrit :
> Hi,
>
> We have a problem with revocation in Chrome.
>
> One of our clients revoked certificate and in Chrome it is still 
> visible as valid.
>
> Please check:
> https://bar.drinki.com/login
>
> Certificate is on CRL since Jan 27 10:40:36 2015 GMT :
> http://crl.certum.pl/dvcasha2.crl
>
> OCSP (checked used openSSL) is also ok:
> Response verify OK
> cert.pem: revoked
>         This Update: Mar 30 11:27:41 2015 GMT
>         Next Update: Apr  6 11:27:41 2015 GMT
>         Revocation Time: Jan 27 10:40:36 2015 GMT
>
>
> Do we miss something?
> I checked settings but there is nothing regarding certificate status 
> checking (i think that in the past there was this kind of option).
>
> -Michał Proszkiewicz
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150330/ccd2fe8c/attachment-0001.html

More information about the Public mailing list