Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.
I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.
There really aren’t any good solutions to this unless you can solve the cache invalidation problem.
Ugh. IMO the network should not be on the critical path to running an executable.
Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.
I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.
There really aren’t any good solutions to this unless you can solve the cache invalidation problem.