On Sunday, 2 October 2022 15:13:31 CEST, Salz, Rich wrote:
Now we have ACME, why not move to 3 day certs issued daily
and avoid the need for revocation entirely?
Not all CA's in use on the WebPKI support ACME. Automating a
single-host to renew every 48 hours (have to allow for faults
and retries) is okay, as long as you are confident your site
will not be done during the "get new cert" window. As you scale
up to millions of sites and/or thousands of locations, it's much
less simple.
But I'm still looking for an answer about what browsers and
OCSP see as their future.
The same thing they did for the past 30 years: try to ignore it.
It's just that we now have the OneCRL for the "Too Big To Fail" websites
(/s).
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
