[cabfpub] Request for details on CRL Sets
Rick_Andrews at symantec.com
Tue Aug 27 18:14:23 UTC 2013
Thanks, Adam, this helps. And Gerv, I hope you'll consider creating a similar page for Mozilla.
One typo: "The Chromium source code that implements CRLSets if, of course, public". "if" should be "is"
I have several questions (and I hope you'll update the page with answers, rather than just replying by email):
- Is there a way for a CA to know which of its CRLs are on your crawl list?
- Are CRLs that are signed by roots (consisting most likely of intermediate CAs signed by the root) treated differently from CRLs that are signed by intermediates?
- It seems like there are cases in which Chrome (with default options) will not check the status of an intermediate or end entity certificate:
- If it's not an EV cert, and it's not covered by a fresh CRLSet (either because it hasn't gotten an update, or because its CRL was not on your crawl list, or because the CRL was too large)
Is that correct? I know that Google is very concerned about the latency of making a revocation check, but it sounds to me like we have no visibility into which certs are checked for revocation and which are not. Do you have any concerns about that?
> -----Original Message-----
> From: Adam Langley [mailto:agl at google.com]
> Sent: Tuesday, August 27, 2013 8:18 AM
> To: Rick Andrews
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Request for details on CRL Sets
> On Mon, Aug 26, 2013 at 7:18 PM, Rick Andrews
> <Rick_Andrews at symantec.com> wrote:
> > The rest of your email is very helpful, but it's in an email. It may
> be difficult to locate later, and it may be impossible for future CABF
> members to find. Couldn't you just create a 'knowledge base' article
> somewhere (akin to Microsoft's Knowledge Base, or Mozilla's wiki), and
> keep it up to date? I don't think that's too much to ask. It could even
> be on the CABF wiki, although that isn't accessible outside of CABF
> I've essentially copy-pasted the contents of that email into
> which can serve as a more canonical reference if you have need of one.
More information about the Public