On Monday, 31 January 2022 21:18:52 CET, Ryan Sleevi wrote:
On Mon, Jan 31, 2022 at 12:08 PM Hubert Kario <hka...@redhat.com> wrote:
Browsers are the only software that use browser's implementation of
certificate
verification and revocation.
And while they are significant users of TLS, they're definitely not the
only important users of TLS.
In the context of the thread, it’s hopefully clear I was not
trying to argue they are the only important user, but rather, a
demonstration of a practical alternative to deliver this
information.
That said, on platforms like Apple’s *OS family (mac/i/tv),
and, to a lesser extent, Windows and Android, such distribution
_is_ system wide, and TLS-using applications, including
non-browser, don’t need to take any special action.
I'm not aware of any OneCRL-like functionality in Windows...
Do you have some pointers for that? Or are you talking just about the fact
that Windows downloads and stores CRLs system wide?
It’s really only in Linux that there isn’t some form of
system-wide capability available, and although Linux remains a
significant in this space, it shouldn’t be used to preclude more
holistic approaches.
The CA store used by OpenSSL as the -CAdir or X509_LOOKUP_hash_dir[1]
can store CRLs too, making sort-of system-wide certificate revocation
without need of OCSP possible too (NSS also supports a system-wide CRL
store,
I think only GnuTLS doesn't).
1 -
https://www.openssl.org/docs/man1.1.1/man3/X509_load_cert_crl_file.html
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
