[cabfpub] Chrome revocation checking problem

Erwann Abalea erwann.abalea at opentrust.com
Mon Mar 30 14:04:28 UTC 2015


I'm not sure it's something to discuss here, but since you brought the 

Chrome doesn't use the CRLs, they are replaced with CRLSet, since 2012. 
Your DVCA isn't in the current CRLSet.
CRLSet involves crawling CRLs and extracting useful entries. The 
usefulness depends on the revocation reason, and the security risk 
associated with the declared reason.

The dvcasha2.crl CRL contains a lot of certificates revoked with an 
"unspecified" reason code, and that's the reason used for this 
particular certificate. I don't know if Google takes those reason codes 
as security risks.

Take a look at RFC5280:
5.3.1.  Reason Code

    The reasonCode is a non-critical CRL entry extension that identifies
    the reason for the certificate revocation.  CRL issuers are strongly
    encouraged to include meaningful reason codes in CRL entries;
    however, the reason code CRL entry extension SHOULD be absent instead
    of using the unspecified (0) reasonCode value.

If you remove the "unspecified" reason code to comply with the SHOULD, 
and Google takes your CRL into consideration to build the CRLSet, then 
those certificates will surely be declared as revoked (no indicated 
reason is considered risky for the CRLSet build process, last time I 

You SHOULD really take a look at the content of your CRLs when they come 
from the same CA and are signed by a different key with different 
For example, spacesslca.crl and spacesslcasha2.crl, or evca.crl and 
evca2.crl. They don't contain the same information, yet are all 4 
unpartitioned and complete CRLs for 2 CAs.


Le 30/03/2015 13:29, michal.proszkiewicz at unizeto.pl a écrit :
> Hi,
> We have a problem with revocation in Chrome.
> One of our clients revoked certificate and in Chrome it is still 
> visible as valid.
> Please check:
> https://bar.drinki.com/login
> Certificate is on CRL since Jan 27 10:40:36 2015 GMT :
> http://crl.certum.pl/dvcasha2.crl
> OCSP (checked used openSSL) is also ok:
> Response verify OK
> cert.pem: revoked
>         This Update: Mar 30 11:27:41 2015 GMT
>         Next Update: Apr  6 11:27:41 2015 GMT
>         Revocation Time: Jan 27 10:40:36 2015 GMT
> Do we miss something?
> I checked settings but there is nothing regarding certificate status 
> checking (i think that in the past there was this kind of option).
> -Michał Proszkiewicz
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150330/ccd2fe8c/attachment-0003.html>

More information about the Public mailing list