tags 745646 unreproducible
notfound 745646 34.0.1847.116-2
severity 745646 normal
thanks
Il 2014-04-30 20:30 Jonathan Nieder ha scritto:
However Vincent is right that the CRLSets[1] are a different mechanism
than OCSP revocation checking and that CRLSet checking is enabled by
default.
Yes, that's true, but I really can't reproduce this issue. In all my
installations, CRLset are updated correctly.
If it is broken then that would indeed be a serious bug.
I don't think this would be a serious bug. You should consider CRLSet
only as "better than nothing".
Please try to find a real case where you are more secure with it but
consider that:
- CRLSet includes at most 2% of the revoked certificates currently
published by the Internet's certificate authorities
- updates to CRLSet appear to often take several days
- if an attacker can use a revoked certificate, he can intercept
traffic, so he could also intercept CRLSets updates
Cheers,
Giuseppe
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
