diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-24 22:47:12 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-24 22:47:12 +0000 |
| commit | 2000dc9fd026b59726ec826a5099b14730694834 (patch) | |
| tree | 3182261eac203b11be0679b1b4aee6ce18a8c3f4 /net/socket/websocket_endpoint_lock_manager_unittest.cc | |
| parent | c1b9358a8da97ae7ed352a0ae05d3feb963eb3e2 (diff) | |
| download | chromium_src-2000dc9fd026b59726ec826a5099b14730694834.zip chromium_src-2000dc9fd026b59726ec826a5099b14730694834.tar.gz chromium_src-2000dc9fd026b59726ec826a5099b14730694834.tar.bz2 | |
net: only consider CRLSet coverage for the leaf certificate.
Currently, CRLSet coverage requires that every certificate in a chain be
covered. However, some intermediates have CRLs with no revocations and those
CRLs are pruned from the CRLSet at generation time. This means that
some EV sites are taking the hit of an OCSP lookup for no reason.
We could include empty CRLs in the CRLSet, but being able to prune them is
nice. Instead, this change redefines coverage so that only the leaf certificate
is considered on the basis that revoking an intermediate in anger is
sufficiently rare and important that we'll be taking extraordinary measures in
any case.
The OS X code isn't changed because it doesn't consider CRLSet coverage and (I
think) always does OCSP lookups for EV certs due to platform limitations. The
OpenSSL and Android code isn't changed because it doesn't implement CRLSet
checking.
BUG=none
Review URL: https://codereview.chromium.org/342033003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@279521 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/websocket_endpoint_lock_manager_unittest.cc')
0 files changed, 0 insertions, 0 deletions