[phicoh]

In the past, revocation was supposed to help cases where the owner of the certificate exposed the private key in one way or another.

Now it seems that revocation is supposed to help the CA covering up mistakes made by the CA.

Maybe we actually need a better CA.

[pgporada]

The Baseline Requirements require revocation of misissued certificates, this isn't "a CA covering up mistakes."

[rad_gruchalski]

> Maybe we actually need a better CA.

Go for it. Start one and tell us how it went.

[phicoh]

If ever I have too much free time, I'll spend it modifying firefox to support DANE.

[rad_gruchalski]

I simply think your previous argument is disingenuous. We have a free to use CA who's code can be vetted, such mistakes can be caught, potential problems can be averted. If this is the price to pay, okay, so be it. Imagine what must fly under the radar of other CAs who do not have thousands of eyes vetting their code base - as in, those would never be visible.

So okay, maybe you don't have certs revoked and you don't need to restart your Traefik but are you really sure everything is okay?