Bonjour, Le jeudi 1 septembre 2016 09:27:11 UTC+2, Ryan Sleevi a écrit : > On Wednesday, August 31, 2016 at 11:03:11 PM UTC-7, Percy wrote: [...] > > Or we can use an offline whitelist. How about include SHA-2 of existing > > WoSign certificates in the binary? So the browser would first check whether > > it's signed by WoSign, if so, compare the hash of the cert with the offline > > list. 224 bit hash * 230K certificate = 6.5 MB. Considering the Chrome > > installer file is almost 70MB, this might be acceptable. > > 1) SHA-2 is 256-bit, not 224-bit > 2) A 100KB increase is unacceptable, especially for mobile users.
The whitelist for EV logged before 01/01/15 contained around 180k certificates, each one identified by a 64bits digest, the list was compressed in order to gain 25%, the result was an object slightly larger than 1MB. Today, this list contains around 110k certificates, and it's less than 680KB. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy