<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"/></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">On Apr 16, 2025, at 2:54 AM, iang via cryptography <cryptography@metzdowd.com> wrote:<br/><div><div></div><blockquote type="cite"><div>The issue was that the revocation 'solution' was patchy at best and</div><div>fraudulent at worst. Because of 'procedures' it theoretically protected</div><div>the CA from liability once those procedures were undertaken (or should</div><div>have been undertaken), and 'protected' you because you were forced to</div><div>check for revocation through some cumbersome mechansim that nobody</div><div>really cared for.</div><blockquote type="cite"></blockquote></blockquote><blockquote type="cite"><br/></blockquote><blockquote type="cite">So now that they've given up on making it work, they do need something<br/></blockquote><blockquote type="cite"><div><div>to cover for the fact that it was a rort from beginning to end, and the<br/>obvious technical security thing - having long lifed certs - can't be<br/>done because revenue. </div></div></blockquote><br/></div><div>Without commenting on business models, I thought the browser vendors had decided to reinvigorated revocation with CRLite (i.e., <a href="https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf">https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf</a>), e.g., <a href="https://github.com/mozilla/crlite">https://github.com/mozilla/crlite</a>?</div><br/><div>Regards,</div><div>-drc</div></body></html>