On Sat, Sep 06, 2025 at 10:30:58PM +0200, Vincent Lefevre wrote: > On 2025-09-06 20:07:47 +0200, Chris Hofstaedtler wrote: > > A tool like wget is not in the position to fetch CRLs from all > > possibly involved CAs for each request it makes. These CRLs are > > unweildly in size, making this completely impractical. > > This is not correct. https://blog.mozilla.org/en/firefox/crlite/ > claims: "CRLite is efficient enough to store *all* certificate > revocations locally, requiring only 300KB per day of continuous > updates to stay current." > > 300KB per day is very little for the security gain.
CRLite is not the CA-provided CRL, but a Mozilla operated thing. Somebody would have to drive an ecosystem-wide adoption. But from a bit of searching I couldn't find client libraries, or any info on how non-Mozilla stuff could use it. Chris
