On Fri, Oct 07, 2016 at 03:21:48AM +0000, Peter Gutmann wrote: > Kurt Roeckx <k...@roeckx.be> writes: > > >This is why browsers have something like OneCRL, so that they actually do > >know about it and why Rob added that information to the bug tracker ( > >https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2). > > That still doesn't necessarily answer the question, Google have their CRLSets > but they're more ineffective than effective in dealing with revocations > (according to GRC, they're 98% ineffective, > https://www.grc.com/revocation/crlsets.htm). Given how hard it is to > determine whether cross-certifications exist (we really have no way of telling > until a cross-certificate suddenly turns up somewhere), it'd be good to have > some firm indication of whether a revocation will actually take effect or not. > Certainly for CRLSets it seems it won't.
Mozilla now requires the disclosue of all intermedidate certificates, including those cross-certificates. I understand that the CRL information for all of them should be provided too, and that Mozilla will import all those in OneCRL. So the problem would be the undisclosed certificates. In theory we would could go and make a whitelist of the disclosed ones. I'm not sure if Mozilla actually has any plans for that. We should at some point probably also start to add the known but undisclosed ones to OneCRL. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
