You could of course cache the list, only download whatever was new from a specific date. Short-lived certs would vastly reduce the list as well.

Not really sure how big of a problem a list could be?

▲

pmontra 2 days ago | parent [-]

Let's see. I can cache the information that example.com is valid up to May 31 2026, but then how do I know that it gets revoked on any day before that date?

And if I cache the information that it is revoked, how do I know that it's allowed again?

I could check, let's say one time per day even if I don't access that site.

In any case I'm still leaking which domains I browse and I keep trusting cached certificates until the next check.

On the other side, with short lived certificates I would be trusting a certificate for a longer time, until it expires.

Downloading a list of all certificates and their status from every CAs is probably unfeasible.

It seems that we can't escape a tradeoff between privacy and security.

	▲	tjoff a day ago \| parent [-]
		You cache the revocation list, no? If it is in the list it is revoked... How do you know it is allowed again? Because it responds with a new certificate, that isn't revoked... You are not leaking anything. You are just downloading a list of revoked domains. Regardless of whether you are visiting them or not.