Comment by PunchyHamster
1 day ago
What worries me more about the push for shorter and shorter cert terms instead of making revoking that works is that if provider fails now you have very little time to switch to new one
1 day ago
What worries me more about the push for shorter and shorter cert terms instead of making revoking that works is that if provider fails now you have very little time to switch to new one
This is a two-sided solution, and one significant reason for shorter certificate lifetimes helps make revocation work better.
Some ACME clients can failover to another provider automatically if the primary one doesn't work, so you wouldn't necessarily need manual intervention on short notice as long as you have the foresight to set up a secondary provider.
People have tried. Revocation is a very hard problem to solve on this scale.