HOW to set “security.OCSP.require” in Google Chrome/Chromium?
Bruno Wolff III
bruno at wolff.to
Thu Mar 24 19:10:37 UTC 2011
On Thu, Mar 24, 2011 at 14:16:49 -0430,
Patrick O'Callaghan <pocallaghan at gmail.com> wrote:
>
> Wierd advice IMHO. There are a number of practical reasons for not
> checking CRLs (Certificate Revocation Lists) all the time, but sending
> cert serial numbers to the CA is not among them. The serial number is
> not secret information (neither is the cert itself of course). If you
> don't trust the CA, then better disable certs entirely, not just CRL
> checking.
Sending the serial number to the CA allows the CA to guess (with high
probability of being correct) that you are visiting the web page that
they sold the certificate for. This information can be resold to other
companies for marketing purposes (or other reasons). If there is any
money in this, I wouldn't expect Verisign to pass the opportunity up based
on other similar stuff they have done.
More information about the users
mailing list