|
|
|
|
|
|
by mholt
258 days ago
|
|
|
Yeah, revocation is a hot mess, it's always been broken, and OCSP Stapling was our only hope -- but then most web servers (but not all! guess which one) dropped the ball. (Clients at least honored Must-Staple.) Short certificate lifetimes is the ultimate way forward, and thankfully it's already available through Let's Encrypt, via the "shortlived" profile. With a certificate that lives < ~7 days, there's virtually no need to revoke. Some clients/browsers will still move to revoke certificates within minutes or hours of their own choosing (see, that's the other frustrating thing, revocation is really just whatever you want), but I hope we'll only see that on internal PKIs, since doing that for public sites is essentially censorship. |
|
|
Maybe if you're the developer of a major web server :), but the rest of us still have to wait for general availability [0] [1].
[0]: https://letsencrypt.org/docs/profiles/#shortlived
[1]: https://community.letsencrypt.org/t/shortlived-is-currently-...