[cabfpub] Chrome revocation checking problem

Chris Palmer palmer at google.com
Mon Mar 30 10:52:24 MST 2015 

You might also like to read this Chrome Security FAQ entry:

https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation-

On Mon, Mar 30, 2015 at 7:04 AM, Erwann Abalea
<erwann.abalea at opentrust.com> wrote:
> Bonjour,
>
> I'm not sure it's something to discuss here, but since you brought the
> subject...
>
> Chrome doesn't use the CRLs, they are replaced with CRLSet, since 2012. Your
> DVCA isn't in the current CRLSet.
> CRLSet involves crawling CRLs and extracting useful entries. The usefulness
> depends on the revocation reason, and the security risk associated with the
> declared reason.
>
> The dvcasha2.crl CRL contains a lot of certificates revoked with an
> "unspecified" reason code, and that's the reason used for this particular
> certificate. I don't know if Google takes those reason codes as security
> risks.
>
> Take a look at RFC5280:
> -----
> 5.3.1.  Reason Code
>
>    The reasonCode is a non-critical CRL entry extension that identifies
>    the reason for the certificate revocation.  CRL issuers are strongly
>    encouraged to include meaningful reason codes in CRL entries;
>    however, the reason code CRL entry extension SHOULD be absent instead
>    of using the unspecified (0) reasonCode value.
> -----
>
> If you remove the "unspecified" reason code to comply with the SHOULD, and
> Google takes your CRL into consideration to build the CRLSet, then those
> certificates will surely be declared as revoked (no indicated reason is
> considered risky for the CRLSet build process, last time I checked).
>
>
> You SHOULD really take a look at the content of your CRLs when they come
> from the same CA and are signed by a different key with different
> algorithms.
> For example, spacesslca.crl and spacesslcasha2.crl, or evca.crl and
> evca2.crl. They don't contain the same information, yet are all 4
> unpartitioned and complete CRLs for 2 CAs.
>
> --
> Erwann ABALEA
>
> Le 30/03/2015 13:29, michal.proszkiewicz at unizeto.pl a écrit :
>
> Hi,
>
> We have a problem with revocation in Chrome.
>
> One of our clients revoked certificate and in Chrome it is still visible as
> valid.
>
> Please check:
> https://bar.drinki.com/login
>
> Certificate is on CRL since Jan 27 10:40:36 2015 GMT :
> http://crl.certum.pl/dvcasha2.crl
>
> OCSP (checked used openSSL) is also ok:
> Response verify OK
> cert.pem: revoked
>         This Update: Mar 30 11:27:41 2015 GMT
>         Next Update: Apr  6 11:27:41 2015 GMT
>         Revocation Time: Jan 27 10:40:36 2015 GMT
>
>
> Do we miss something?
> I checked settings but there is nothing regarding certificate status
> checking (i think that in the past there was this kind of option).
>
> -Michał Proszkiewicz
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

More information about the Public mailing list