2.17 Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'

Information

Google Chrome performs revocation checking for server certificates that successfully validate and are signed by locally-installed CA certificates. If Google Chrome is unable to obtain revocation status information, such certificates will be treated as revoked ('hard-fail').

Disabled: Google Chrome uses existing online revocation-checking settings.

The recommended state for this setting is: Enabled (1)

Rationale:

Certificates shall always be validated.

Impact:

A revocation check will be performed for server certificates that successfully validate and are signed by locally-installed CA certificates. if the OCSP server goes down, then this will hard-fail and prevent browsing to those sites.

Solution

To establish the recommended configuration via Group Policy, set the
following UI path to Enabled:

Computer Configuration\Polices\Administrative Templates\Google\Google Chrome\Require online OCSP/CRL checks for local trust anchors

Default Value:

Unset (Same as Disabled, and users can change)

See Also

https://workbench.cisecurity.org/files/3653

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5)

Plugin: Windows

Control ID: 683f72e2eabb7c351d1a342e14ecc1fc56e9db195ec5b9afa5e6615aea7c3a3f