/
862.txt
75 lines (54 loc) · 3.17 KB
/
862.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[1] [CITE@en[RFC 6960 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP]]
([TIME[2015-03-09 19:35:19 +09:00]] 版)
<http://tools.ietf.org/html/rfc6960>
[2] [CITE@en[ImperialViolet - Revocation checking and Chrome's CRL]]
([[Adam Langley]] 著, [TIME[2015-03-21 15:52:01 +09:00]] 版)
<https://www.imperialviolet.org/2012/02/05/crlsets.html>
[3] [CITE@ja[Online Certificate Status Protocol - Wikipedia]]
([TIME[2015-03-20 16:10:52 +09:00]] 版)
<http://ja.wikipedia.org/wiki/Online_Certificate_Status_Protocol>
[4] [CITE@en[CA:ImprovingRevocation - MozillaWiki]]
([TIME[2015-03-21 11:05:17 +09:00]] 版)
<https://wiki.mozilla.org/CA:ImprovingRevocation>
[5] [CITE@en-US[Revoking Intermediate Certificates: Introducing OneCRL | Mozilla Security Blog]]
([TIME[2015-03-21 15:31:36 +09:00]] 版)
<https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/>
[FIG(quote)[
[FIGCAPTION[
[6] [CITE@en[Necko/Differences - MozillaWiki]]
([TIME[2015-03-21 17:34:27 +09:00]] 版)
<https://wiki.mozilla.org/Necko/Differences>
]FIGCAPTION]
>
> Other browsers implement persistent OCSP caches, but we do not (for various reasons).
]FIG]
[7] [CITE@en[157555 – OCSP tracking bug]]
([TIME[2015-03-21 22:53:11 +09:00]] 版)
<https://bugzilla.mozilla.org/show_bug.cgi?id=157555>
[8] [[OCSP stapling]]
[9] [CITE@en[ImperialViolet - No, don't enable revocation checking]]
( ([[Adam Langley]]著, [TIME[2016-05-09 20:48:57 +09:00]]))
<https://www.imperialviolet.org/2014/04/19/revchecking.html>
[FIG(quote)[
[FIGCAPTION[
[10] [CITE@en-US[Improving Revocation: OCSP Must-Staple and Short-lived Certificates | Mozilla Security Blog]]
( ([TIME[2016-05-09 21:15:03 +09:00]]))
<https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/>
]FIGCAPTION]
> In an ideal world, the browser would perform an online status check (such as OCSP) whenever it verifies a certificate, and reject the certificate if the check failed. However, these checks can be slow and unreliable. They time out about 15% of the time, and take about 350ms even when they succeed. Browsers generally soft-fail on revocation in an attempt to balance these concerns.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[11] [CITE[Security FAQ - The Chromium Projects]]
( ([TIME[2016-05-07 09:19:23 +09:00]]))
<https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation->
]FIGCAPTION]
>
> Chrome performs online checking for Extended Validation certificates if it does not already have a non-expired CRLSet entry covering the domain. If Chrome does not get a response, it simply downgrades the security indicator to Domain Validated.
]FIG]
[12] [CITE@en[Issue 361820 - chromium - Check For Server Certificate Revocation checkbox is confusing - Monorail]]
( ([TIME[2016-05-09 23:42:16 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=361820>
[13] [CITE@en-US[Certificate revocation and the performance of OCSP | Netcraft]]
( ([TIME[2016-05-05 10:34:42 +09:00]]))
<http://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html>