[ars]

I guess you didn't read the article? He's saying there are no cases where it works. Making it completely pointless.

[millerc]

> That's why I claim that online revocation checking is useless - because it doesn't stop attacks.

Doesn't mean there are "no" cases where it works. It just means any attacker dedicated enough can work around the CRLs.

I don't see any reason why one should throw the baby with the water. In this case, I just see Chrome guilty of FUD and hiding behind an intractable problem to justify their incorrect position.

See http://en.wikipedia.org/wiki/Two_Generals'_Problem if you want to convince yourself the problem is intractable.

[Splendor]

I did read the article.

> "In order to end on a positive note, I'll mention a case where online revocation checking does work..."

[lallysingh]

Funny how you didn't quote the actual case mentioned, just the text ahead of it. Ctrl-F'ing a little quick, eh?

[ars]

That's even more proof you didn't read it. How does enabling it in chrome make any difference to code signing?

[Splendor]

Does enabling revocation checking make me less safe?

[tptacek]

Yes! It involves you reporting all the sites you visit to a CA!

[Splendor]

I guess I knew that but hadn't grasped the security problem this presents. You've changed my mind. Thank you.