| ▲ | cortesoft a day ago | |
Right, but what if the certificate is compromised? How would your revoke it? | ||
| ▲ | cyphar 20 hours ago | parent [-] | |
If the DNS entries for the certificates have a very short TTLs (i.e., 2 minutes) then you wouldn't need explicit revocation infrastructure. It would probably take more than 2 minutes for CRLs or OSCP changes to propagate anyway. (I'm not necessarily in favour of this, I just don't see the revocation part as being the main issue.) | ||