|
|
|
|
|
|
by new23d
697 days ago
|
|
|
Some initial observations: • Google's CRLs from the same intermediate CA (same public key) have different URLs and different content when pulled from different hosts (google.com, youtube.com). • DigiCert has sharded according to 'assurance' class, algorithm, year and acquisition's name. • Sectigo also has sharded according to 'assurance' class [1]. • GlobalSign has sharded by the yearly quarter presumably. • HTTP Cache-Control maxage (or s-maxage), 'Expires' and 'Next Update' within the CRL file are not in sync. • Some CAs other than Let's Encrypt also do not publish CRL URLs in the leaf certificates. [1] https://www.sectigo.com/knowledge-base/detail/Sectigo-Interm... |
|
|