On Tue, Feb 7, 2012 at 6:05 AM, Marcus Brinkmann < [email protected]> wrote:
> >> > That's a false dilemma. You could also extract trust from your cache, ie > your past experience with the same server (the SSH model), and/or from your > past connections with the internet (CRL or monitoring servers differently > from Google Chrome autoupdater). > > Langley doesn't state why he is limiting the options in this way. It is > probably a mix of cultural bias and technical reasons (performance, etc). > > In any case, the proposal still keeps an old-fashioned CRL around to check. > > Later on, Langley seems to want to replace the CRL with a positive proof > of freshness: > > http://www.imperialviolet.org/**2011/11/29/certtransparency.**html<http://www.imperialviolet.org/2011/11/29/certtransparency.html> You do realize that there is a lot of work going on in parallel to fix all of this, and the current CRL distribution is yet one of many things they are likely exploring, right? I don't remember Adam saying in his blog post or in any other posts, etc. that this is the only change they will make to Chrome. At the same time I think they did get fairly tired or hard-coding a CRL list into the Chrome binary itself for the CA breaches... - Andy
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
