[Pkg-chromium-maint] Bug#745646: chromium: certificate revocation is not checked
Michael Gilbert
mgilbert at debian.org
Sat May 3 02:47:02 UTC 2014
On Thu, May 1, 2014 at 2:20 PM, Vincent Lefevre wrote:
> On 2014-05-01 19:57:37 +0200, Giuseppe Iuculano wrote:
>> Il 2014-04-30 20:30 Jonathan Nieder ha scritto:
>> >However Vincent is right that the CRLSets[1] are a different mechanism
>> >than OCSP revocation checking and that CRLSet checking is enabled by
>> >default.
>>
>> Yes, that's true, but I really can't reproduce this issue. In all my
>> installations, CRLset are updated correctly.
>
> How can you explain that on my machines, the CRLset isn't updated?
It may be that chromium needs to be running for some time before it
decides to attempt to fetch the data. Have you tried leaving it open
for a while?
>> Please try to find a real case where you are more secure with it but
>> consider that:
>>
>> - CRLSet includes at most 2% of the revoked certificates currently published
>> by the Internet's certificate authorities
>
> This means that the CRLSet system is completely broken by design.
Google's documentation [0] indicates that CRLSets are mostly for
"emergency" situations, whatever that means, so it isn't the solution
to the certificate revocation problem that you're looking for.
Best wishes,
Mike
[0] http://dev.chromium.org/Home/chromium-security/crlsets
More information about the Pkg-chromium-maint
mailing list