Hi Ken,
Hey, should we be checking CRLs as well? I ask, because at work the
CRLs I have to deal with have only 5 million certificates on them ...
In seriousness, I wonder how often client software does that? I know
OCSP responses can be cached, but still ...
wget(1) has --crl-file. OTOH,
As of Firefox 28, Mozilla have announced they are deprecating CRL in
favour of OCSP.
— https://en.wikipedia.org/wiki/Revocation_list#Problems_with_CRLs
Online (i.e. OCSP and CRL) checks are not, generally, performed by
Chrome. They can be enabled in the options and, in some cases, the
underlying system certificate library always performs these checks
no matter what Chromium does. Otherwise they are only performed
when verifying an EV certificate that is not covered by a fresh
CRLSet.
— https://dev.chromium.org/Home/chromium-security/crlsets
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers