| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by einhverfr 4436 days ago
	Google's problem is they decide which revocations are worth passing on to the browser. That's at least as broken by design..... Believe me I am aware of the limits of soft-fail, but the answer cannot be even in the short-run to let a browser vendor tell us which revocations are worth knowing about.

3 comments

enneff 4436 days ago

Soft fail doesn't work at all. CRLset works for the certificates that it covers (some 25k of them, btw).

Which approach is worse?

link

mpyne 4436 days ago

> but the answer cannot be even in the short-run to let a browser vendor tell us which revocations are worth knowing about.

So you trust the browser vendor to ship you executable native code but you don't trust the browser vendor to apply reasonably decent criteria for the top x% most-needed cert revocations on the Internet?

link

tptacek 4436 days ago

Do you know the limits of "soft-fail"? Because I don't see you addressing them.

link