> CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data.

Compared to what? 12MB JavaScript bundles and autoplay videos? Do CDNs still exist?

There's a finite number of CAs and browsers can be expected to perform caching. Delta CRLs also exist and the CAs can decline to include expired leaf certs.

This sounds like a made up problem that was solved 25 years ago.

▲

redleader55 2 days ago | parent [-]

If you cache the revocation list, you lose all the benefits of instant revocation making the whole process pointless.

▲

sugarpimpdorsey 2 days ago | parent [-]

OCSP is dead. We don't have that luxury anymore. By caching I meant for 12-24 hrs.

▲

redleader55 2 days ago | parent [-]

Again, if you need to revoke a certificate, it means something terrible happened - someone compromised your server and your website has a good chance to be impersonated by 3rd parties. In all the other cases, you just let the old cert expire. You likely don't want people finding out about the revocation 12-24 hours later.

	▲	robertlagrant a day ago \| parent [-]
		OCSP-stapling seemed to be fine with 24-48 hour client-side caching, though.