[cabfpub] Chrome revocation checking problem
Erwann Abalea
erwann.abalea at opentrust.com
Mon Mar 30 14:04:28 UTC 2015
Bonjour,
I'm not sure it's something to discuss here, but since you brought the
subject...
Chrome doesn't use the CRLs, they are replaced with CRLSet, since 2012.
Your DVCA isn't in the current CRLSet.
CRLSet involves crawling CRLs and extracting useful entries. The
usefulness depends on the revocation reason, and the security risk
associated with the declared reason.
The dvcasha2.crl CRL contains a lot of certificates revoked with an
"unspecified" reason code, and that's the reason used for this
particular certificate. I don't know if Google takes those reason codes
as security risks.
Take a look at RFC5280:
-----
5.3.1. Reason Code
The reasonCode is a non-critical CRL entry extension that identifies
the reason for the certificate revocation. CRL issuers are strongly
encouraged to include meaningful reason codes in CRL entries;
however, the reason code CRL entry extension SHOULD be absent instead
of using the unspecified (0) reasonCode value.
-----
If you remove the "unspecified" reason code to comply with the SHOULD,
and Google takes your CRL into consideration to build the CRLSet, then
those certificates will surely be declared as revoked (no indicated
reason is considered risky for the CRLSet build process, last time I
checked).
You SHOULD really take a look at the content of your CRLs when they come
from the same CA and are signed by a different key with different
algorithms.
For example, spacesslca.crl and spacesslcasha2.crl, or evca.crl and
evca2.crl. They don't contain the same information, yet are all 4
unpartitioned and complete CRLs for 2 CAs.
--
Erwann ABALEA
Le 30/03/2015 13:29, michal.proszkiewicz at unizeto.pl a écrit :
> Hi,
>
> We have a problem with revocation in Chrome.
>
> One of our clients revoked certificate and in Chrome it is still
> visible as valid.
>
> Please check:
> https://bar.drinki.com/login
>
> Certificate is on CRL since Jan 27 10:40:36 2015 GMT :
> http://crl.certum.pl/dvcasha2.crl
>
> OCSP (checked used openSSL) is also ok:
> Response verify OK
> cert.pem: revoked
> This Update: Mar 30 11:27:41 2015 GMT
> Next Update: Apr 6 11:27:41 2015 GMT
> Revocation Time: Jan 27 10:40:36 2015 GMT
>
>
> Do we miss something?
> I checked settings but there is nothing regarding certificate status
> checking (i think that in the past there was this kind of option).
>
> -Michał Proszkiewicz
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150330/ccd2fe8c/attachment-0003.html>
More information about the Public
mailing list