[chmars]

Honestly, I don't see a point in certificate revocations anymore, i.e., your implicit conclusion seems to be correct. And I don't blame Google for our broken revocation system – especially because the even the best revocation system couldn't fix the current certification system that is broken in its core.

[einhverfr]

Google's problem is they decide which revocations are worth passing on to the browser. That's at least as broken by design.....

Believe me I am aware of the limits of soft-fail, but the answer cannot be even in the short-run to let a browser vendor tell us which revocations are worth knowing about.

[enneff]

Soft fail doesn't work at all. CRLset works for the certificates that it covers (some 25k of them, btw).

Which approach is worse?

[mpyne]

> but the answer cannot be even in the short-run to let a browser vendor tell us which revocations are worth knowing about.

So you trust the browser vendor to ship you executable native code but you don't trust the browser vendor to apply reasonably decent criteria for the top x% most-needed cert revocations on the Internet?

[tptacek]

Do you know the limits of "soft-fail"? Because I don't see you addressing them.