Revocation of X.509 certificates
Summary
Geoff Huston explains X.509 certificate revocation, covering CRLs, OCSP, and stapled OCSP, and discusses their real-world limitations. Using a Lets Encrypt revoked certificate example, the article highlights browser gaps, privacy concerns, and signaling challenges for timely trust updates. It also explores potential directions such as shorter certificate lifetimes and DNS/DANE based approaches as alternatives to traditional revocation.