Hi Ryan! Thank you for your email explaining the way how Google works with sharded CRLs. I only did some sample checks on crt.sh and it seemed that every leaf certificate has its own CRL (which I found an extremely interesting concept). But this was obviously not correct. With this information it is clear to me that the situation for OCSP is different to the CRLs.
Thank you! /Rufus From: [email protected] <[email protected]> On Behalf Of Ryan Hurst Sent: Monday, 29 August 2022 23:36 To: [email protected] Cc: Buschart, Rufus (IT IPS SIP ET) <[email protected]>; [email protected] <[email protected]> Subject: Re: Revocation checking for EV server certificates in Chrome Rufus, Google Trust Services does do CRL sharding but we DO NOT do individual CRLs per certificate. As an example, in the CRL you linked to in your post I count 329 entries (openssl crl -in fVJxbV-Ktmk.crl -inform DER -text|grep -c "Revocation Date"). I have not checked with the developers of the CA system on specifics for my response here so I am not sure there are not edge cases are but it seems likely that if there is only one revoked certificate from a CA you will sometimes see one entry CRLs. With that said our objective is to chunk entries them into useful, bite sized CRLs, not produce single CRLs per certificate. With that background I would argue that modern day browser behavior of using delegated CRLs served by the browsers addresses the privacy concern in question. Specifically the concern as I understand it is that as a user visits a site with OCSP (which BTW can technically contain multiple CertIDs also) the URL (in the case of a GET request) of the revocation response leaks the site being browsed to. The reliance on these delegated CRLs served by browsers addresses this by removing the CA from the runtime interaction all together. Ryan Hurst Google Trust Services On Monday, August 29, 2022 at 11:44:58 AM UTC-7 [email protected]<mailto:[email protected]> wrote: Dear Ryan! Thank you for sharing this information with us. Will this also have influence on Google’s concept of individual crls per certificate (e.g. http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcrls.pki.goog%2Fgts1c3%2FfVJxbV-Ktmk.crl&data=05%7C01%7Crufus.buschart%40siemens.com%7C7fa7a6f700bf4250607e08da8a0668eb%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637974057383514624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ha6X5cXb%2FZHBfAIfbE7CS%2Bpeqkwk7RfT9KoqAa6WyEo%3D&reserved=0> for crt.sh | 7340166965<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D7340166965&data=05%7C01%7Crufus.buschart%40siemens.com%7C7fa7a6f700bf4250607e08da8a0668eb%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637974057383514624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G0OhhdVucBXvtEqTPqPnGqm2OaIGsXlCRP2JDgvuAKY%3D&reserved=0>)? I like this concept of extremely sharded CRLs a lot since it effectively keeps the CRL size under control but at the end it seems to me to have the same privacy issues as the OCSP responder. Greetings Rufus IT IPS SIP ET Freyeslebenstr. 1 91058 Erlangen, Germany Mobile: +49 (1522) 2894134<tel:+49%201522%202894134> mailto:[email protected] Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you. Siemens Corporation: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and Chief Executive Officer; Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 From: 'Ryan Dickson' via [email protected] <[email protected]> Sent: Wednesday, 24 August 2022 14:14 To: [email protected] <[email protected]> Subject: Revocation checking for EV server certificates in Chrome Hello, OCSP requests reveal details of individuals' browsing history to the operator of the OCSP responder. These can be exposed accidentally (e.g., via data breach of logs) or intentionally (e.g., via subpoena). This is part of why Chrome doesn't do OCSP checks for Domain Validated (DV) or Organization Validated (OV) certificates by default, and starting in version 106, Chrome won't do them for Extended Validation (EV) certificates either, to better protect users' privacy. Select revocation checking support will continue to be available through CRLSets<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.chromium.org%2FHome%2Fchromium-security%2Fcrlsets%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7C7fa7a6f700bf4250607e08da8a0668eb%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637974057383514624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x3flg%2FxjQLp10387AAhFUOQ86qRxD%2Fe87HOIYufcAQw%3D&reserved=0>, and OCSP stapling<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FOCSP_stapling&data=05%7C01%7Crufus.buschart%40siemens.com%7C7fa7a6f700bf4250607e08da8a0668eb%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637974057383514624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M7jPJvTDtKK1EWqQUrPcJ5NGTfKkqlnxNIP4%2FT2Qhwo%3D&reserved=0> will still be supported. Chrome also supports an enterprise policy<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromeenterprise.google%2Fpolicies%2F%23EnableOnlineRevocationChecks&data=05%7C01%7Crufus.buschart%40siemens.com%7C7fa7a6f700bf4250607e08da8a0668eb%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637974057383514624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2kO50fpJc1uHZSMqhb%2F7W2ZvZZcZhmmOgdTC%2BImNlz0%3D&reserved=0> to enable online revocation checking, though this may be removed in the future. For any other questions or concerns, please email us at [email protected]. Thanks, Ryan [Sent on behalf of the Chrome Root Program] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADEW5O9Wztn76K%2BFJ6OshDnespeDactN%3DCuPXoHYQJKwdNMr6w%40mail.gmail.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCADEW5O9Wztn76K%252BFJ6OshDnespeDactN%253DCuPXoHYQJKwdNMr6w%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C7fa7a6f700bf4250607e08da8a0668eb%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637974057383514624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HcnfgOdlrbYD8qvfCuApCJZ1KlXlv0oZ2iu1wCqdnAU%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8f8c76f5-9029-46ca-9995-ff034b2c5f14n%40mozilla.org<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F8f8c76f5-9029-46ca-9995-ff034b2c5f14n%2540mozilla.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C7fa7a6f700bf4250607e08da8a0668eb%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637974057383514624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3b%2FqrQD3yZNZ52AYyj175aJgCljYNSoVxx5pOu0z6wE%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AM8PR10MB46580573CE21D391D780413E9E799%40AM8PR10MB4658.EURPRD10.PROD.OUTLOOK.COM.
