undefined | Better HN

0 pointseinhverfr11y ago0 comments

> Online revocation is pointless.

So is getting a subset of revoked certs Google deems "valuable." In fact, that may be even more dangerous since it establishes first class secure sites vs everyone else.

Why should Yahoo's cert revocatins get in the CRLsets but not less well known sites? How is that less broken than online revocation?

Keep in mind, my big objection is:

Google did not distribute our certificate vocation in their CRLSet, presumably because we weren't large enough. That is not a fix for anything.

0 comments

tptacek11y ago

This comment isn't responsive to mine.

einhverfrOP11y ago

Ok, fair enough. I am just making sure my objection to Google's approach is clear.

I would be OK if they guaranteed complete CRLsets from all participating CA's. Since they don't, their solution is more broken than what they are replacing.

So I acknowledge that online revocation is problematic. I just think the crlset approach is an order of magnitude worse when the crlset is a subset of revoked entries sent by the ca.

tptacek11y ago

Respectfully, I think an accurate summary of your argument is that you would rather pretend to be secure using broken online revocation checks than to have to stomach the Chromium team providing a marginal amount of actual security by deciding which sites are and aren't worthy of protection.

3 more replies

j / k navigate · click thread line to collapse

0 pointseinhverfr11y ago0 comments

> Online revocation is pointless.

So is getting a subset of revoked certs Google deems "valuable." In fact, that may be even more dangerous since it establishes first class secure sites vs everyone else.

Why should Yahoo's cert revocatins get in the CRLsets but not less well known sites? How is that less broken than online revocation?

Keep in mind, my big objection is:

Google did not distribute our certificate vocation in their CRLSet, presumably because we weren't large enough. That is not a fix for anything.

0 comments

tptacek11y ago

This comment isn't responsive to mine.

einhverfrOP11y ago

Ok, fair enough. I am just making sure my objection to Google's approach is clear.

I would be OK if they guaranteed complete CRLsets from all participating CA's. Since they don't, their solution is more broken than what they are replacing.

So I acknowledge that online revocation is problematic. I just think the crlset approach is an order of magnitude worse when the crlset is a subset of revoked entries sent by the ca.

tptacek11y ago

3 more replies

j / k navigate · click thread line to collapse