On Wed, Feb 8, 2012 at 1:34 AM, Taral <[email protected]> wrote: > spki hash > serial > serial > serial
That was my guess too but I was surprised to the low numbers of serials compared to the official public CRLs. > And it looks like it's been updated: > > % ./crlset dump crlset | grep '^ ' | wc -l > 3809 Until now (looking at the numbers of listed serials), the fall-back to the CRL/OCSP should be still considered by Google. Another point (even if OCSP is not very appropriate), OCSP was used in "black-list" mode when DigiNotar discovered the breach to block unknown/rogue certificate[1]. Still sometimes OCSP is useful. See ya, [1] http://isc.sans.edu/diary.html?storyid=11512 -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://www.foo.be/cgi-bin/wiki.pl/Diary -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
