>and publish a revocation via CRL if the validation times out or fails for 1 mon... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		gruez on June 28, 2020 \| parent \| context \| favorite \| on: Chromium and Mozilla to enforce 1 year validity fo... >and publish a revocation via CRL if the validation times out or fails for 1 month + 1 day. If you're in a position to MITM using a stolen certificate, you're probably also in a position to block the CRL response from going through. Since failing to get an updated CRL doesn't result in a security warning, your CRL proposal is essentially useless.

majewsky on June 28, 2020 [–]

> you're probably also in a position to block the CRL response from going through

Not if the certificate is OCSP-Must-Staple.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact