Jan Wildeboer 😷
:krulorange:@jwildeboer@social.wildeboer.net
So what I understand from the (x509) certificate ecosystem is that CRLs (Certificate Revocation Lists) are kinda still there but practically out, OCSP (Online Certificate Status Protocol) could have privacy and performance problems and never really "made" it, so "Passive Revocation" is the thing to do. It sounds technologically advanced, but in reality it simply means that certificates expire very fast (hours, maybe a day of validity), hoping that that will be enough to contain abuse.
1/n