| ▲ | userbinator 2 days ago | |
Don't forget revocation checking = more centralised control, although they seem to have gone with very-short-lived certificates instead. | ||
| ▲ | perching_aix 2 days ago | parent | next [-] | |
It's also literally a centralized trust model though. You know how the saying goes: if you're going to be a criminal, you may as well be the best one in town. | ||
| ▲ | mholt a day ago | parent | prev | next [-] | |
Revocation has many meanings. No central revocation authority is actually enforced by the BRs, as far as I know. Clients can do whatever they want. The CA can say a cert is revoked but no one has to care. Clients can also say a cert is revoked and then all their client instances start rejecting it. Most clients work this way now, like Safari -- they just distribute their own CRLs. | ||
| ▲ | Dylan16807 2 days ago | parent | prev [-] | |
> Don't forget revocation checking = more centralised contro How so? Doesn't revocation have to be done by the same entity that issued the certificate? | ||