Isn't CRLSet a Google invention? Doesn't it depend on Chrome software updates?
All I know about it, I read from Langley's writings. Is there a better reference?
Who set the implemntation limits, if not Google?
Maybe those limits are justifiable, but that doesn't leave someone who's left unprotected, by what seem like arbitrary policy cutoffs, feeling any better.
Google didn't invent this idea. It was suggested by the CABForum.
CRLsets are static, practically hardcoded revocations that every installation of Chrome receives. The idea that https://yourblog.com should expect specific consideration in Chrome updates is about as reasonable as suggesting that we revert back from the DNS to host files.
The more I read, the more it seems CRLSet implementation choices were entirely Google's. For example, when CABForum members want information about how CRLSets work, Langley suggests the best (and only!) reference is the Chrome source code:
https://cabforum.org/pipermail/public/2013-August/002149.htm...
I am of course open to better information. But for now it still looks like Google did indeed "choose how big to make the lifeboat", unlike your assertion to the contrary.
Also, it looks like the 250KB cap is in Google's unpublished server-side source that constructs the CRLSets. So Google could conceivably "expand the lifeboat" unilaterally with a tiny edit!
For reference, it appears the current 'Safe Browsing' blacklists, never more stale than 45 minutes, are about 2.3MB in size. So the CRLSet cap (250KB) and freshness (1 day) aren't very generous to users.
