On Thu, Mar 04, 2021 at 04:11:18PM +0100, Dirk-Willem van Gulik wrote: > As it allows key management, verification, etc without necessarily > telling world+dog what you are doing (but for the occasional bulk down > load of some CRLs). You can dispense with CRLs/OCSP if you use sufficiently short-lived certificates. That requires an online CA to certify those short-lived certificates, but it's online infrastructure that is required only once or twice per rotation period for any one end entity. Nico --