Redirecting out of the Certificate queue to decide on the UI side.

For revoke certs, we do not presently have cross-platform guarantees to indicate what cert caused the error. For that reason, my technical recommendation is that we should WontFix/WAI, as that represents the only reliable signal and experience across browsers.

The secondary question is about the CertificateViewer UI, which we currently use the platform viewer. Unless we want to develop our own viewer (UI leads have consistently declined to), this will simply be a Known Issue.

Just thinking about whether an updated error message would make things more clear. Currently, the interstitial "Advanced" link shows "You cannot visit sevecek.com right now because its certificate has been revoked." Technically, in the WoSign/StartCom case it was not the leaf cert revoked, but the root CA cert.

Also, the "Learn more" link, which now takes the user to https://support.google.com/chrome/answer/6098869, says nothing about revoked certs or specific CA cases.

Given the no cross-platform guarantees mentioned in #2, and the platform cert viewer UI, it seems to me that improving the error message and the help page might also fix the problem of not knowing what to fix as a site owner by at least pointing them to the right direction. The help page already has at least one "If you own this website"-type advice.

@rsleevi I'm sorry for my english

For users are important 3 question:
1) which certificate in the certification path has been revoked
2) who revoked certificate (certificate owner or it's "only" browser developer decision?)
3) if certificated has been revoked by browser then why? (what is reason)

I'm confused:
- Chrome don't trust https://www.sevecek.com  and says NET::ERR_CERT_REVOKED (but in developer tools I see that everything is ok)
- Vivaldi don't trust https://www.sevecek.com  and says NET::ERR_CERT_AUTHORITY_INVALID
- Firefox, IE and Edge trusts https://www.sevecek.com 

Some examples of good error messages:
- revoked root certificate SN XXXXX by Chrome, more information ...... 
- revoked intermediate certificate SN XXXXX by certificate authority (via CRL/OCSP)
- revoked leaf certificate SN XXXXX by certificate authority or certificate owner (via CRL/OCSP)

Especially if certificate isn't trusted only by browser developer (and in the Dev.Tools says everything is OK) then more information and reason explanation are very important.

This is effectively a feature request. As noted in #2, we don't always clearly know what certificate is revoked, and in the majority of cases, the technical arcana behind which certificate was revoked isn't meaningful to the end user.

I don't think we're likely to get to this in the foreseeable future.

@elawrence I see, thanks. Do you think updating the "Learn more" Help Page https://support.google.com/chrome/answer/6098869 would make sense in this case, and if yes, should I file another report for that?

The help page already has some tech lingo targeted more at the site owners, e.g. ERR_SSL_WEAK_EPHEMERAL_DH_KEY hint:

> If you own this website, try updating your server to support ECDHE and turn off DHE.

so the site owner might get an idea from the help page of what to check and where.

@elawrence Thanks for your reply. 

As noted in #2 - I think that this information is important for users.  I would like to clarify this. 
Revoke certificate by "Chrome" decision is much less important that revoke certificate by CA or his owner. For me isn't significant that Chrome make decision and revoke StartCom CA. I trust StartCom CA and web sites that using StartCom certificate. But I don't trust any web site if leaf certificate has been revoked by CA or certificate owner.