Isn't CRLSet a Google invention? Doesn't it depend on Chrome software updates?
All I know about it, I read from Langley's writings. Is there a better reference?
Who set the implemntation limits, if not Google?
Maybe those limits are justifiable, but that doesn't leave someone who's left unprotected, by what seem like arbitrary policy cutoffs, feeling any better.
Your feelings aren't material to the issue at hand. You're not supposed to feel good about CRLsets.
Google didn't invent this idea. It was suggested by the CABForum.
CRLsets are static, practically hardcoded revocations that every installation of Chrome receives. The idea that https://yourblog.com should expect specific consideration in Chrome updates is about as reasonable as suggesting that we revert back from the DNS to host files.
Yes, feelings are immaterial, but you shouldn't be trying to convince with bluster when you've erred on the facts.
The more I read, the more it seems CRLSet implementation choices were entirely Google's. For example, when CABForum members want information about how CRLSets work, Langley suggests the best (and only!) reference is the Chrome source code:
I am of course open to better information. But for now it still looks like Google did indeed "choose how big to make the lifeboat", unlike your assertion to the contrary.
Also, it looks like the 250KB cap is in Google's unpublished server-side source that constructs the CRLSets. So Google could conceivably "expand the lifeboat" unilaterally with a tiny edit!
For reference, it appears the current 'Safe Browsing' blacklists, never more stale than 45 minutes, are about 2.3MB in size. So the CRLSet cap (250KB) and freshness (1 day) aren't very generous to users.
I said that the idea came from CABForum because that's what Langley said. Moving from 250k to 2.3M still wouldn't put your blog in the lifeboat. Also: the CRL entries in the CRLsets are manually curated; someone is doing that work for you, for free.
And I understood correctly about who chose the "size of the lifeboat", also because of what Langley said.
The person upthread unhappy that Chrome didn't pick up their revocation (einhverfr) isn't worried about a measly blog, but their SaaS business.
If 2.3MB isn't enough to protect everybody, make it 23MB or take whatever other design steps are necessary. The world's most popular browser, from the world's most profitable internet company, in 2014 shouldn't be showing the lock-icon and "valid certificate" hours/days/weeks after a publicly-available revocation.
"Manual curation", rather than being impressive, is a design-smell here. And none of Google's work to outcompete other browsers, using proprietary Chrome features, is being done for me "for free".
