On Thu, Sep 18, 2008 at 3:04 PM, Rick Andrews <[EMAIL PROTECTED]> wrote: > > Chrome appears to use CRLs for SSL cert status checking. Are there any > plans to use OCSP instead, or primarily use OCSP with a fallback to > CRLs?
We should primarily use OCSP with a fallback to CRLs. If we aren't doing that, it's because 1) the WinHTTP library that we're using doesn't give us this level of control on the revocation checking methods, or 2) we made a mistake in the new HTTP stack (not used by default). For WinHTTP, we only have one option flag, WINHTTP_ENABLE_SSL_REVOCATION, to enable revocation checking: http://msdn.microsoft.com/en-us/library/aa384066(VS.85).aspx So it's all up to WinHTTP to decide whether it should use CRLs or OCSP. In the new HTTP stack, we're passing the flags CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | CERT_CHAIN_CACHE_END_CERT to the CertGetCertificateChain function. Are those the right flags to use? Should we be using the CERT_CHAIN_REVOCATION_CHECK_OCSP_CERT flag? See http://msdn.microsoft.com/en-us/library/aa376078(VS.85).aspx Wan-Teh --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-dev" group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~----------~----~----~----~------~----~------~--~---