Re: [Bug-wget] certificate revocation lists (CRLs) #43501

[Christoph Anton Mitterer]

On Wed, 2014-11-05 at 13:51 +0100, Noël Köthe wrote: 
> I'm aware of fetch-crl
> https://packages.debian.org/unstable/main/fetch-crl but maybe there is
> more anything planed like CRL support for the ca-certificates package?
My personal experience with this (and we massively use it in the LCG,
where fetch-crl actually comes from),... it doesn't work well.

Not talking about fetch-crl itslef, but rather the CAs,... their CRLs
are every now and then (read: suprisingly often) not downloadble, for
whatever miscellaneous and strange reasons.

So in the end, you either make all that voluntary (i.e. not fail, even
if the CRL is out of date), which makes it of course completely
useless... or you make it mandatory, but then you see rather often
failures.


Of course this doesn't mean one shouldn't use CRLs, but as long as the
major players don't use them we have at least little chance to make
pressure on the CAs to fix their server infrastructure :-(


Cheers,
Chris.

smime.p7s
Description: S/MIME cryptographic signature