Re: Chrome to drop CRL checking

Taral <taralx@...> noted..
 >
 > On Tue, Feb 7, 2012 at 7:25 AM, Alexandre Dulaunoy <a <at> foo.be> wrote:
 >> $ ./crlset dump crl-set | wc -l
 >> 1656
 >>
 >> Maybe they use a bloomfilter-like format or something like that. But
 >> it seems that their current bundle is
 >> not matching the numbers of the revoked certificate especially the
 >> ones with a reason.
 >>
 >> Information about the Google CRLSet format is welcome.
 >
 > A glance at the code says the dump is of the form:
 >
 > spki hash
 >   serial
 >   serial
 >   serial
 >
 > And it looks like it's been updated:
 >
 > % ./crlset dump crlset | grep '^ ' | wc -l
 > 3809

note that one needs to do this sequence to get similar results as above (i.e. 
Taral's results)...

$ ./crlset fetch > foo

$ ./crlset dump foo | grep '^ ' | wc -l
3809

I.e. you need to actually fetch the latest update, then dump it. Otherwise 
you'll be stuck with your previous numbers, assuming you request dumping of the 
same file you've previously fetched to.

HTH,

=JeffH