[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] TLS certificate validation
From: |
Ralph Corderoy |
Subject: |
Re: [Nmh-workers] TLS certificate validation |
Date: |
Sun, 25 Sep 2016 12:26:51 +0100 |
Hi Ken,
> Hey, should we be checking CRLs as well? I ask, because at work the
> CRLs I have to deal with have only 5 million certificates on them ...
>
> In seriousness, I wonder how often client software does that? I know
> OCSP responses can be cached, but still ...
wget(1) has --crl-file. OTOH,
As of Firefox 28, Mozilla have announced they are deprecating CRL in
favour of OCSP.
— https://en.wikipedia.org/wiki/Revocation_list#Problems_with_CRLs
Online (i.e. OCSP and CRL) checks are not, generally, performed by
Chrome. They can be enabled in the options and, in some cases, the
underlying system certificate library always performs these checks
no matter what Chromium does. Otherwise they are only performed
when verifying an EV certificate that is not covered by a fresh
CRLSet.
— https://dev.chromium.org/Home/chromium-security/crlsets
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
- Re: [Nmh-workers] TLS certificate validation, (continued)
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ken Hornstein, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ken Hornstein, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
Re: [Nmh-workers] TLS certificate validation, Valdis . Kletnieks, 2016/09/24
Re: [Nmh-workers] TLS certificate validation, Lyndon Nerenberg, 2016/09/26