> Now we have ACME, why not move to 3 day certs issued daily and avoid the need > for revocation entirely?
Not all CA's in use on the WebPKI support ACME. Automating a single-host to renew every 48 hours (have to allow for faults and retries) is okay, as long as you are confident your site will not be done during the "get new cert" window. As you scale up to millions of sites and/or thousands of locations, it's much less simple. But I'm still looking for an answer about what browsers and OCSP see as their future.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
