[32] RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
( 版)
https://tools.ietf.org/html/rfc7525#section-6.5
[36] The current state of certificate revocation (CRLs, OCSP and OCSP Stapling)
( ())
https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
[37] How Certificate Revocation Works
( ())
https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx
[38] Issue 305443 - chromium - Chrome for Android doesn't seem to respect CRL - Monorail
( ())
https://bugs.chromium.org/p/chromium/issues/detail?id=305443
On all platforms that perform revocation checks as a system-level component (eg: on Windows and OS X), we always pass flags to allow cached revocation checks. That is, if another application has caused a revoked certificate to be known, we (Chrome) will treat it as revoked. Additionally, we pass flags to disable online revocation checks. However, in certain circumstances, the OS will ignore those flags and force an online revocation check. In those cases as well, the revocation will be picked up.
Absent both of those cached settings, however, we utilize CRLSets, the contents of which are described at a previous link and, by design, do not contain *every* revoked certificate.
[40] Security FAQ - The Chromium Projects
( ())
https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation-
[41] ImperialViolet - Revocation still doesn't work
( (Adam Langley著, ))
https://www.imperialviolet.org/2014/04/29/revocationagain.html
[4] 854346 – Treat expired certs with no revocation information as revoked, and do not allow an override
( ())
https://bugzilla.mozilla.org/show_bug.cgi?id=854346
It will also check the revocation of the certificate with OCSP, but currently only if the server provides OCSP stapling (for deeper checks see ocsp_resolver method).
[11] Check Certificate Revocation Lists the OCSP status of an (SSL) Certificate
( ())
https://certificate.revocationcheck.com/
[1] 1024809 – (OneCRL) Add Revoked Intermediate Certs to revocation list push mechanism
( ())
https://bugzilla.mozilla.org/show_bug.cgi?id=1024809#c59
I would encourage you to re-think the Issuer+SerialNumber being the only blocking mechanism. Both CRLSets and Microsoft's Certificate Distrust Lists have found that in the real world of revocations (most notably, DigiNotar), issuer+serial number is NOT sufficient. There are times where you want Subject+Public Key, as a given Subject+PublicKey may have many issuers, some of which the affected CA does not disclose.
[14] Requiring OCSP for EV (was Re: [ct-policy] Proposed changes to EV/CT Plan) - Google グループ
( ())
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/jmbbIgmGbdk
> For Chrome, AIUI you already aim to have your CRLSets cover all EV certs, so why demand OCSP Stapling for EV as well?
>
This is not correct, and something we have repeatedly clarified. CRLSets first and foremost has been a means to deal with emergency revocations outside of the binary updates, such as those employed by Firefox, or system updates, such as those employed by Microsoft (prior to certificate distrust lists, which operate comparably) or Apple. Our commitment is to rapid response, and the focus here is on intermediates and certificates with powerful/dangerous capabilities that put a broad base of users at risk.
In the course of developing this, we saw an opportunity to optimize some of the CRL delivery for end-entity certs, but this was merely opportunistic. While we still employ it, especially for CAs that can provide meaningful revocation information, this is a "nice to have", and may be removed in the future. While I'm sure this would kick off a centithread alone, I don't think we should focus on this.
[16] cURL - How To Use
( ())
https://curl.haxx.se/docs/manpage.html#--crlfile
--crlfile <file>
(HTTPS/FTPS) Provide a file using PEM format with a Certificate Revocation List that may specify peer certificates that are to be considered revoked.
[17] cURL - SSL CA Certificates
( ())
https://curl.haxx.se/docs/sslcerts.html
Schannel will run CRL checks on certificates unless peer verification is disabled. Secure Transport on iOS will run OCSP checks on certificates unless peer verification is disabled. Secure Transport on OS X will run either OCSP or CRL checks on certificates if those features are enabled, and this behavior can be adjusted in the preferences of Keychain Access.
[18] マイナンバーカードでSSHする - AAA Blog
(hamano著, )
https://www.osstech.co.jp/~hamano/posts/jpki-ssh/
[21] Are revoked certificates detected in Safari and Chrome? - Server - Let's Encrypt Community Support
()
https://community.letsencrypt.org/t/are-revoked-certificates-detected-in-safari-and-chrome/42677/6
[22] 361820 - Check For Server Certificate Revocation checkbox is confusing - chromium - Monorail
()
https://bugs.chromium.org/p/chromium/issues/detail?id=361820
[23] No bug, Automated blocklist update from host bld-linux64-spot-302 - a…
(ffxbld著, )
https://github.com/mozilla/gecko-dev/commit/3d37781c2d360dfbc41d5ef40f5111166475010c#diff-6977f1da0159242e38daf7645b72e52a