Here's the patch to get GnuTLS to do CRL checking.

On Debian, you can get a bunch of CRL PEM files by the following:

    $ sudo apt-get install igtf-policy-bundle
    $ sudo apt-get install fetch-crl
    $ sudo fetch-crl -p 8 --format pem

On macOS with MacPorts:

    $ sudo port install igtf-ca-bundle
    $ sudo fetch-crl -p 8 --format pem

Now if you do

  M-: (url-retrieve-synchronously "https://revoked.grc.com/") RET

You should see a prompt from NSM.

Possible improvement:

Checking static CRL is still spotty. "https://revoked.badssl.com" still
fails to trigger a prompt from NSM. For that we'll definitely need OCSP and
some of the newer Certificate Transparency tricks.


On Sun, Jun 24, 2018 at 7:29 PM, Jimmy Yuen Ho Wong <wyuenho@gmail.com>
wrote:

>
>> I'm not quite sure I follow you here.  OCSP is the online query stuff,
>> and is something that gnutls doesn't do, I think, and which is probably
>> not something we want to do either.  (Chrome doesn't, for instance.)
>>
>>
> GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This
> is how you do it
> <https://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html#OCSP-certificate-status-checking>
> according to the manual.
>
> Chrome's primary check OOTB is its own curated CRLSet, but it does use
> OCSP for some EV certs, and relies on the underlying library to do OCSP
> <https://dev.chromium.org/Home/chromium-security/crlsets>. You can also
> enable it in Chrome if you want.
>
>
>
>> But a certificate revocation list is something we could consider
>> distributing via ELPA, but that's a bigger project...
>>
>>
> No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`)
> it looks for now, the same can be done for CRL files. Users can
> periodically update their CA bundle and CRL bundle. The CA bundle on *nix
> is typically Mozilla's, which is covered by the default list in
> `gnutls-trustfiles`. A complete list of CRL in PEM format typically don't
> exists on most systems, but can be generated with `igtf-ca-bundle` +
> `fetch-crl`. I just generated them on macOS via MacPorts, Linux should also
> be a matter of installing a few packages and running `fetch-crl`.
>
>
>> Or do you mean OCSP stapling?  There's so much going on in this area
>> (because it's a clusterfuck to begin with) that it can be challenging
>> keeping track.  :-)
>>
>>
> Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP
> above.
>
>