Comment by Spivak
4 years ago
Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.
I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.
There really aren’t any good solutions to this unless you can solve the cache invalidation problem.
No comments yet
Contribute on Hacker News ↗