Btw, is there any reason why CRLs are not widely published via DNS (https://tools.ietf.org/html/rfc4398)? It would lower the costs associated with distribution of CRLs...
CRLs are way too large to distribute through the DNS (e.g. the Comodo CRL mentioned in the blog post is 740kb). And what does that RFC say to do when a CRL is too big? Return a URL instead. So we're back to square one.
Yeah, right. But any CRL smaller then 64 KB can be distributed this way. So it would be CA's responsibility to keep them small, otherwise they would pay for the full traffic.
"The RDATA field in the DNS protocol may only hold data of size 65535
octets (64kb) or less. This means that each CERT RR MUST NOT contain
more than 64kb of payload, even if the corresponding certificate or
certificate revocation list is larger. This document addresses this
by defining "indirect" data types for each normal type."