Normally, I’d agree – attrition.org has enough to say about the subject. However, this is actually spot on, once you get past the overly alarmist tone. agl’s post about OCSP being not useful is correct, too, of course; but it’s clear CRLs aren’t very useful either, and a limited set of CRLs (as used in Chrome) even less so. Given the large number of sites, we have to come up with something better (probably short-lifetime certificates and perhaps better tooling for certificate deployment).
I still can’t find the part where chrome’s crlset isn’t doing exactly what it’s supposed to be doing: protecting users from accessing high profile sites with a revoked cert.
e authorities trusted by Microsoft’s systems. To rephrase that: Chrome will blindly trust every revoked certificate that was originally signed by more than four fifths of the certificate authorities Microsoft trusts.
What does this even mean? Why do I care? Am I accessing any sites using any of those certs?
I don’t know if you care, or not, and I don’t know if you’re accessing any sites using those certs. Most of the revocations seem to come from Windows (in particular but not only, IE) users. I think that sentence points out perhaps a violation of the principle of least astonishment: if the rest of the applications on your computer have revoked a certificate, it might be counterintuitive that one of your browsers doesn’t mark it as revoked.
A response from agl.
Where’s the option to down vote a link for being grc.com? This shit is awful. It’s in the “not even wrong” category.
Normally, I’d agree – attrition.org has enough to say about the subject. However, this is actually spot on, once you get past the overly alarmist tone. agl’s post about OCSP being not useful is correct, too, of course; but it’s clear CRLs aren’t very useful either, and a limited set of CRLs (as used in Chrome) even less so. Given the large number of sites, we have to come up with something better (probably short-lifetime certificates and perhaps better tooling for certificate deployment).
I still can’t find the part where chrome’s crlset isn’t doing exactly what it’s supposed to be doing: protecting users from accessing high profile sites with a revoked cert.
What does this even mean? Why do I care? Am I accessing any sites using any of those certs?
I don’t know if you care, or not, and I don’t know if you’re accessing any sites using those certs. Most of the revocations seem to come from Windows (in particular but not only, IE) users. I think that sentence points out perhaps a violation of the principle of least astonishment: if the rest of the applications on your computer have revoked a certificate, it might be counterintuitive that one of your browsers doesn’t mark it as revoked.