| ▲ | flakes 2 days ago | ||||||||||||||||
One is not really better, you want both. Certificate revocation lists are loaded out of band and depending on the client can be poorly enforced. Questions come up: do you block a request if you fail to download the latest CRL? How often do you refresh it? When the cert expires, it can be removed from the CRL, so shorter lived certs will allow CRLs to be smaller and faster to transfer. | |||||||||||||||||
| ▲ | naturalmovement 2 days ago | parent [-] | ||||||||||||||||
> Questions come up: do you block a request if you fail to download the latest CRL? How often do you refresh it? In the before times we left settings like this up to competent system administrators to decide based on risk and not hardcoded by a handful of people at Google. | |||||||||||||||||
| |||||||||||||||||