OCSP requests reveal details of individuals' browsing history to the operator of the OCSP responder. These can be exposed accidentally (e.g., via data breach of logs) or intentionally (e.g., via subpoena). This is part of why Chrome doesn't do OCSP checks for Domain Validated (DV) or Organization Validated (OV) certificates by default, and starting in version 106, Chrome won't do them for Extended Validation (EV) certificates either, to better protect users' privacy.
Select revocation checking support will continue to be available through CRLSets, and OCSP stapling will still be supported. Chrome also supports an enterprise policy to enable online revocation checking, though this may be removed in the future.
For any other questions or concerns, please email us at chrome-ro...@google.com.
Ryan[Sent on behalf of the Chrome Root Program]
Thank you for sharing this information with us. Will this also have influence on Google’s concept of individual crls per certificate (e.g. http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl for crt.sh | 7340166965)? I like this concept of extremely sharded CRLs a lot since it effectively keeps the CRL size under control but at the end it seems to me to have the same privacy issues as the OCSP responder.
IT IPS SIP ET
91058 Erlangen, Germany
Mobile: +49 (1522) 2894134
Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.
Siemens Corporation: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and Chief Executive Officer; Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese;
Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
Thank you for your email explaining the way how Google works with sharded CRLs. I only did some sample checks on crt.sh and it seemed that every leaf certificate has its own CRL (which I found an extremely interesting concept). But this was obviously not correct. With this information it is clear to me that the situation for OCSP is different to the CRLs.