With the heartbleed bug many site certificates are revoked and correct checking of revocation is particular important. I would like to know how exactly Opera handles the certificate revocation check.
- Do you cache CRL lists. If so for how long and is there a way to refresh them on demand? If a CRL cannot be downloaded do you use the cached copy?
- Do you support CRL lists in all formats (e.g. both binary and text-based)?
- Do you treat a failure if checking for revocation failed? Do you treat it as a failure for any reason ( e.g Connection error to both CRL and OCSP, only one provided and connection error to that, unknown format, ..)?
- Do you utilize both CRL and OCSP. If so which is the default one? And how is decided whether the other is used as fallback. What if the fallback fails too? Are you using any other methods like crlset? If you only support only one of the methods what if the certificate only supports the other?
- Do you do CRL/OCSP checks on all intermediate certificates?
- Is it possible to get a warning for any certificate which is older than 04/07?
I think it be great if you created a blog post in the context of the heartbleed bug and describe exactly how Opera is handling revocation.