Remix clone Hacker News

Let's Encrypt dropped support for OCSP. CRL doesn't scale well. Short lived certificate probably are a way to avoid certificate revocation quirks.

▲

Ajedi32 4 days ago | parent [-]

It's a real shame. OCSP with Must-Staple seemed like the perfect solution to this, it just never got widespread support.

I suppose technically you can get approximately the same thing with 24-hour certificate expiry times. Maybe that's where this is ultimately heading. But there are issues with that design too. For example, it seems a little at odds with the idea of Certificate Transparency logs having a 24-hour merge delay.

	▲	NoahZuniga 3 days ago \| parent \| next [-]
		Also certificate transparency is moving to a new standard (sunlight CT) that has immediate merges. Google requires maximum merge delay to be 1 minute or less, but they've said on google groups that they expect merges to be way faster.
	▲	lokar 3 days ago \| parent \| prev [-]
		The log is not really for real time use. It’s to catch CA non-compliance.