CRLSets

CRLSets

[16] CRLSet は、 Chrome証明書の失効の確認のために使っている失効情報ファイルです。

関連

[17] FirefoxOneCRL という同様の情報ファイルを使っています。

歴史

[1] ImperialViolet - Revocation checking and Chrome's CRL (Adam Langley 著, 版) https://www.imperialviolet.org/2012/02/05/crlsets.html

[2] agl/crlset-tools ( 版) https://github.com/agl/crlset-tools

[3] CRLSets - The Chromium Projects ( 版) https://dev.chromium.org/Home/chromium-security/crlsets

[4] CA Security Council | CASC Heartbleed Response ( 版) https://casecurity.org/2014/05/08/casc-heartbleed-response/

[5] GRC's | Chrome's CRLSet Effectiveness Evaluation   ( 版) https://www.grc.com/revocation/crlsets.htm

[7] 886471 – Add Preloaded CRLSet mechanism ( 版) https://bugzilla.mozilla.org/show_bug.cgi?id=886471

[33] Security FAQ - The Chromium Projects ( 版) http://www.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation-

[6] draft-hallambaker-compressedcrlset-00 - Compressed CRL Sets ( ()) https://tools.ietf.org/html/draft-hallambaker-compressedcrlset-00

[8] net/cert/crl_set_storage.cc - chromium/src - Git at Google ( ()) https://chromium.googlesource.com/chromium/src/+/master/net/cert/crl_set_storage.cc

[9] #745646 - chromium: CRLSet (for certificate revocation checking) silently remains outdated - Debian Bug report logs ( ()) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745646

[10] [cabfpub] Request for details on CRL Sets ( ()) https://cabforum.org/pipermail/public/2013-August/002159.html

Originally the hope was to

include all EV CRLs in the CRLSet since the set of EV CAs is much

smaller. However, that hasn't worked out for size reasons and so we

have the online fallback for EV certs. Whether the online checks are

worthwhile for EV certs isn't terribly clear, but it's what we're

doing for now.

[11] [cabfpub] Request for details on CRL Sets ( ()) https://cabforum.org/pipermail/public/2013-August/002134.html

[12] ImperialViolet - Revocation checking and Chrome's CRL ( (Adam Langley著, )) https://www.imperialviolet.org/2012/02/05/crlsets.html

[13] Issue 589336 - chromium - Integrate CRLSets into the NSS certificate path building logic - Monorail ( ()) https://bugs.chromium.org/p/chromium/issues/detail?id=589336

[14] Issue 305443 - chromium - Chrome for Android doesn't seem to respect CRL - Monorail ( ()) https://bugs.chromium.org/p/chromium/issues/detail?id=305443

[15] ImperialViolet - Revocation still doesn't work ( (Adam Langley著, )) https://www.imperialviolet.org/2014/04/29/revocationagain.html

[18] 現在のファイルは137KBあります。

[19] Check Chrome components - Chrome Help ( ()) https://support.google.com/chrome/answer/6072728?hl=en

You may notice the file name “Certificate Revocation Lists.”

What it is: CRLSets help block website certificates that are potentially unsafe.

How it's used by Chrome: Chrome can sense when there’s something wrong with a website’s security certificate. When a site is suspected to be unsafe (for example, one that pretends to be a trusted website and tricks you into sharing sensitive information), Chrome uses CRLSets to react quickly.

[22] 自堕落な技術者の日記 : 将来Google ChromeがSSL証明書のオンライン失効検証をやめて独自の失効情報プッシュを行うという困った話 - livedoor Blog(ブログ), http://blog.livedoor.jp/k_urushima/archives/1656214.html

[20] data/ssl/scripts/crlsetutil.py - chromium/src/net - Git at Google ( ()) https://chromium.googlesource.com/chromium/src/net/+/refs/heads/master/data/ssl/scripts/crlsetutil.py

[21] Issue 418173004: Enable and fix CRLSet and remoting tests on non-Android OpenSSL. - Code Review ( ()) https://codereview.chromium.org/418173004