[Pkg-chromium-maint] Bug#745646: chromium: certificate revocation is not checked
mgilbert at debian.org
Sat May 3 02:47:02 UTC 2014
On Thu, May 1, 2014 at 2:20 PM, Vincent Lefevre wrote:
> On 2014-05-01 19:57:37 +0200, Giuseppe Iuculano wrote:
>> Il 2014-04-30 20:30 Jonathan Nieder ha scritto:
>> >However Vincent is right that the CRLSets are a different mechanism
>> >than OCSP revocation checking and that CRLSet checking is enabled by
>> Yes, that's true, but I really can't reproduce this issue. In all my
>> installations, CRLset are updated correctly.
> How can you explain that on my machines, the CRLset isn't updated?
It may be that chromium needs to be running for some time before it
decides to attempt to fetch the data. Have you tried leaving it open
for a while?
>> Please try to find a real case where you are more secure with it but
>> consider that:
>> - CRLSet includes at most 2% of the revoked certificates currently published
>> by the Internet's certificate authorities
> This means that the CRLSet system is completely broken by design.
Google's documentation  indicates that CRLSets are mostly for
"emergency" situations, whatever that means, so it isn't the solution
to the certificate revocation problem that you're looking for.
More information about the Pkg-chromium-maint