On 1/06/2014 12:31 AM, Michael Gilbert wrote: > On Sat, May 31, 2014 at 7:44 AM, Andrew McGlashan wrote: >> Does Chromium suffer from the Google decision to make use of OCSP >> impossible? Therefore, an untrustworthy browser. > > Basically, the answer is the design of certificate revocation is > fundamentally flawed, and Google have their own security model: > http://www.imperialviolet.org/2012/02/05/crlsets.html > > That should not in any way lead to the conclusion that chromium or > google chrome are untrustworthy. It just means that Google uses an > alternative approach to a fundamentally unsolvable problem.
Absolutely you cannot trust Google's method of placing a bandaid on the problem. There are about a days worth of revoked certificates in CRLset .. that is far from sufficient for certs that can be up to 10 years old, albeit most are 1 or 2 years. OCSP is far superior than CRLset and even better when you force a response to be required -- which is possible, but not default with Firefox. We may see certificate stapling as an answer, but that won't be enough if it cannot be certified to /require/ stapling in the cert itself. There may be other solutions in time. You are right in saying that the whole certificate revocations model is flawed, but not as flawed as what Google is choosing to use in CRLset. Quite simply, Google's response to this problem is a joke. Cheers A. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/538a157b.2070...@affinityvision.com.au
