Comment by iso1631

It's a shame you're being downvoted as you're right, CRLs and OCSP do practically nothing _for webbrowsers_

OSCP is flawed because you can block the connection, meaning

1) Your browswer has to accept it (thus an attacker feeding you the bad certificate can bypass OSCP)

2) Your browswer blocks completely (thus DOSsing all connections), and people use another browser

CRLs don't scale - you can't keep a cached list of every revoked cert globally.

However I pull down the CRLs for my internal CA every few hours onto my internal https sites, which rely on a client presenting a valid certificate to connect. If that doesn't get pulled down, I get a warning about it in the monitoring system. When a client with a client certificate connects, I check against my local cache of the CRL, and if it's been revoked, it can't connect.

What problem do you have on your private CA internal network that CRLs fix but browsers don't? Are you that concerned that your server certificates get compromised? You should be working to massively reduce the time those certificate are valid.