2.18 Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'

Information

Google Chrome performs revocation checking for server certificates that successfully validate and are signed by locally-installed CA certificates. If Google Chrome is unable to obtain revocation status information, such certificates will be treated as revoked ('hard-fail').

Disabled: Google Chrome uses existing online revocation-checking settings.

The recommended state for this setting is: Enabled (1)

Rationale:

Certificates shall always be validated.

Impact:

A revocation check will be performed for server certificates that successfully validate and are signed by locally-installed CA certificates. if the OCSP server goes down, then this will hard-fail and prevent browsing to those sites.

Solution

To establish the recommended configuration via Group Policy, set the
following UI path to Enabled:

Computer Configuration\Polices\Administrative Templates\Google\Google Chrome\Require online OCSP/CRL checks for local trust anchors

Default Value:

Unset (Same as Disabled, and users can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5)

Plugin: Windows

Control ID: a446a86f2c633a7f09705a598f18c61075c391f35314b03b648fccafac5948b8