Rufus, Google Trust Services does do CRL sharding but we DO NOT do individual CRLs per certificate.
As an example, in the CRL you linked to in your post I count 329 entries (openssl crl -in fVJxbV-Ktmk.crl -inform DER -text|grep -c "Revocation Date"). I have not checked with the developers of the CA system on specifics for my response here so I am not sure there are not edge cases are but it seems likely that if there is only one revoked certificate from a CA you will sometimes see one entry CRLs. With that said our objective is to chunk entries them into useful, bite sized CRLs, not produce single CRLs per certificate. With that background I would argue that modern day browser behavior of using delegated CRLs served by the browsers addresses the privacy concern in question. Specifically the concern as I understand it is that as a user visits a site with OCSP (which BTW can technically contain multiple CertIDs also) the URL (in the case of a GET request) of the revocation response leaks the site being browsed to. The reliance on these delegated CRLs served by browsers addresses this by removing the CA from the runtime interaction all together. Ryan Hurst Google Trust Services On Monday, August 29, 2022 at 11:44:58 AM UTC-7 [email protected] wrote: > Dear Ryan! > > > > Thank you for sharing this information with us. Will this also have > influence on Google’s concept of individual crls per certificate (e.g. > http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl for crt.sh | 7340166965 > <https://crt.sh/?id=7340166965>)? I like this concept of extremely > sharded CRLs a lot since it effectively keeps the CRL size under control > but at the end it seems to me to have the same privacy issues as the OCSP > responder. > > > > Greetings > > > > Rufus > > IT IPS SIP ET > Freyeslebenstr. 1 > 91058 Erlangen, Germany > Mobile: +49 (1522) 2894134 <+49%201522%202894134> > mailto:[email protected] > > Important notice: This e-mail and any attachment thereof contain corporate > proprietary information. If you have received it by mistake, please notify > us immediately by reply e-mail and delete this e-mail and its attachments > from your system. Thank you. > Siemens Corporation: Chairman of the Supervisory Board: Jim Hagemann > Snabe; Managing Board: Roland Busch, Chairman, President and Chief > Executive Officer; Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf > P. Thomas, Judith Wiese; > Registered offices: Berlin and Munich, Germany; Commercial registries: > Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE > 23691322 > > > > > > *From:* 'Ryan Dickson' via [email protected] < > [email protected]> > *Sent:* Wednesday, 24 August 2022 14:14 > *To:* [email protected] <[email protected]> > *Subject:* Revocation checking for EV server certificates in Chrome > > > > Hello, > > > > OCSP requests reveal details of individuals' browsing history to the > operator of the OCSP responder. These can be exposed accidentally (e.g., > via data breach of logs) or intentionally (e.g., via subpoena). This is > part of why Chrome doesn't do OCSP checks for Domain Validated (DV) or > Organization Validated (OV) certificates by default, and starting in > version 106, Chrome won't do them for Extended Validation (EV) certificates > either, to better protect users' privacy. > > > > Select revocation checking support will continue to be available through > CRLSets > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.chromium.org%2FHome%2Fchromium-security%2Fcrlsets%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca61f65fe871f4bd8401808da85ca3035%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637969400679584013%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rA1h5kn2kBXa52a09WFwUxtE1LHy3PKotnWsaJ6posI%3D&reserved=0>, > > and OCSP stapling > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FOCSP_stapling&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca61f65fe871f4bd8401808da85ca3035%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637969400679584013%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sv3YhBhGbc%2B1%2B3Jj5Fiod7GLOA7gyrCDqDOmIuc%2BhIQ%3D&reserved=0> > > will still be supported. Chrome also supports an enterprise policy > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromeenterprise.google%2Fpolicies%2F%23EnableOnlineRevocationChecks&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca61f65fe871f4bd8401808da85ca3035%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637969400679584013%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MKPFgqs%2Fj%2B8nJ8RRUcpekzNT%2FObzC8%2FuzHPth1psHRs%3D&reserved=0> > > to enable online revocation checking, though this may be removed in the > future. > > > > For any other questions or concerns, please email us at > [email protected]. > > > > Thanks, > > Ryan > > [Sent on behalf of the Chrome Root Program] > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADEW5O9Wztn76K%2BFJ6OshDnespeDactN%3DCuPXoHYQJKwdNMr6w%40mail.gmail.com > > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCADEW5O9Wztn76K%252BFJ6OshDnespeDactN%253DCuPXoHYQJKwdNMr6w%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca61f65fe871f4bd8401808da85ca3035%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637969400679584013%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WNT%2F6ExdAaP8wywmgt4BvYjz7J5%2FguBh%2F7lAptDzBzg%3D&reserved=0> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8f8c76f5-9029-46ca-9995-ff034b2c5f14n%40mozilla.org.
