Re: [SECURITY] [DSA 2939-1] chromium-browser security update
On 1/06/2014 4:35 AM, Michael Gilbert wrote:
> On Sat, May 31, 2014 at 1:46 PM, Andrew McGlashan wrote:
>> We may see certificate stapling as an answer, but that won't be enough
>> if it cannot be certified to /require/ stapling in the cert itself.
>> There may be other solutions in time.
>> You are right in saying that the whole certificate revocations model is
>> flawed, but not as flawed as what Google is choosing to use in CRLset.
>> Quite simply, Google's response to this problem is a joke.
> It sounds like you've got a stinging itch there, so feel empowered to
> go scratch it. I'm sure Google would be interested in a nice patch
> set solving this problem once and for all.
Google did have OCSP, but they deliberately removed it recently.
FWIW, Steve Gibson has a very good take on all of this.
The OCSP server not found issue is rare, in the past the /main/ CA's got
together to discuss the OCSP issue and they create CDN's to deal with
issues like not being able to connect the OCSP server. The page that
was linked from /google's/ pov ... was quite old btw.
Google pushed back on OCSP when Steve Gibson had much to say about the
whole revocation mess and he talked about alternative ideas that the
industry is considering. The CA's backed Steve's take and can't seem to
understand why Google would push back so hard to go against the OCSP
idea and other possible solutions.