[kroeckx]

For the major browsers, this probably makes little difference, but for anything else, this will most likely result in not verifying the revocation status of certificates anymore or making things slower.

As far as I know, most browser vendors already download the CRLs, and then update the browsers based on what they downloaded. For instance firefox seems to be using CRLite. There is a lack of support for something like that in the non-major browsers and non-browsers. The alternative they have is to download the CRL instead of the OCSP reply, which is larger, probably making things slower. Or they could just not check the status, which is most likely what will happen.

CRLite changes the failure mode of the status check, it no longer just ignores error in downloading the status information.

We need better support for something like CRLite.

[thayne]

I did some research a while ago into ensuring up to date CRLs for a non-browser use case. Besides the problem of the massive size of CRLs, I couldn't find good tools for automatic updates across all trusted CRLs.

My conclusion was that it isn't really practical unless you only trust one or two CAs.

[dochtman]

Making something like CRLite more like a standard seems worthwhile. I looked at the Mozilla bits but AFAICT there’s not much if any documentation of the low-level bits and pieces.