[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] TLS certificate validation

From: Ralph Corderoy
Subject: Re: [Nmh-workers] TLS certificate validation
Date: Sun, 25 Sep 2016 12:26:51 +0100

Hi Ken,

> Hey, should we be checking CRLs as well?  I ask, because at work the
> CRLs I have to deal with have only 5 million certificates on them ...
> In seriousness, I wonder how often client software does that?  I know
> OCSP responses can be cached, but still ...

wget(1) has --crl-file.  OTOH,

    As of Firefox 28, Mozilla have announced they are deprecating CRL in
    favour of OCSP.
        — https://en.wikipedia.org/wiki/Revocation_list#Problems_with_CRLs

    Online (i.e. OCSP and CRL) checks are not, generally, performed by
    Chrome.  They can be enabled in the options and, in some cases, the
    underlying system certificate library always performs these checks
    no matter what Chromium does.  Otherwise they are only performed
    when verifying an EV certificate that is not covered by a fresh
        — https://dev.chromium.org/Home/chromium-security/crlsets

Cheers, Ralph.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]