This boils down to whether it is okay to prioritize availability over security. Still, the actual question remains: does the android browser support CRL or OCSP in any form?
And since CRLs can be cached, it would be perfectly sane to have a cached CRL on device for an intermediate that has been compromised, such as currently Diginotar “Staat der Nederlanden *” intermediates. And note that removing the Diginotar root from cacerts.bks does not help since the intermediates are chained up to a “Staat der Nederlanden” root which is not compromised and should remain trusted. On Aug 30, 10:06 pm, Chris Palmer <[email protected]> wrote: > > Having OCSP/CRL will help. > > Actually, that is not at all clear. > > http://www.imperialviolet.org/2011/03/18/revocation.html > > http://www.ietf.org/mail-archive/web/websec/current/msg00296.html > > Compound the generally low reliability and performance of CAs' OCSP > and CRL endpoints, multiply that times the poor connectivity you get > on mobile platforms, and revocation checking starts to look like a > real loser. Even in the best circumstances, checking OCSP or a CRL > seriously impacts the latency of setting up a TLS connection. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
