On 2025-09-06 20:07:47 +0200, Chris Hofstaedtler wrote: > A tool like wget is not in the position to fetch CRLs from all > possibly involved CAs for each request it makes. These CRLs are > unweildly in size, making this completely impractical.
This is not correct. https://blog.mozilla.org/en/firefox/crlite/ claims: "CRLite is efficient enough to store *all* certificate revocations locally, requiring only 300KB per day of continuous updates to stay current." 300KB per day is very little for the security gain. BTW, I'm wondering why this isn't implemented system-wide. > For some background you can read > https://letsencrypt.org/2022/09/07/new-life-for-crls This is old. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
