| ▲ | pmontra 2 days ago | |
Let's see. I can cache the information that example.com is valid up to May 31 2026, but then how do I know that it gets revoked on any day before that date? And if I cache the information that it is revoked, how do I know that it's allowed again? I could check, let's say one time per day even if I don't access that site. In any case I'm still leaking which domains I browse and I keep trusting cached certificates until the next check. On the other side, with short lived certificates I would be trusting a certificate for a longer time, until it expires. Downloading a list of all certificates and their status from every CAs is probably unfeasible. It seems that we can't escape a tradeoff between privacy and security. | ||
| ▲ | tjoff a day ago | parent [-] | |
You cache the revocation list, no? If it is in the list it is revoked... How do you know it is allowed again? Because it responds with a new certificate, that isn't revoked... You are not leaking anything. You are just downloading a list of revoked domains. Regardless of whether you are visiting them or not. | ||