[Pkg-chromium-maint] Bug#745646: chromium: certificate revocation is not checked

Michael Gilbert mgilbert at debian.org
Sat May 3 02:47:02 UTC 2014

On Thu, May 1, 2014 at 2:20 PM, Vincent Lefevre wrote:
> On 2014-05-01 19:57:37 +0200, Giuseppe Iuculano wrote:
>> Il 2014-04-30 20:30 Jonathan Nieder ha scritto:
>> >However Vincent is right that the CRLSets[1] are a different mechanism
>> >than OCSP revocation checking and that CRLSet checking is enabled by
>> >default.
>> Yes, that's true, but I really can't reproduce this issue. In all my
>> installations, CRLset are updated correctly.
> How can you explain that on my machines, the CRLset isn't updated?

It may be that chromium needs to be running for some time before it
decides to attempt to fetch the data.  Have you tried leaving it open
for a while?

>> Please try to find a real case where you are more secure with it but
>> consider that:
>> - CRLSet includes at most 2% of the revoked certificates currently published
>> by the Internet's certificate authorities
> This means that the CRLSet system is completely broken by design.

Google's documentation [0] indicates that CRLSets are mostly for
"emergency" situations, whatever that means, so it isn't the solution
to the certificate revocation problem that you're looking for.

Best wishes,

[0] http://dev.chromium.org/Home/chromium-security/crlsets

More information about the Pkg-chromium-maint mailing list