On 3/4/21 7:54 AM, Nico Williams wrote:
On Thu, Mar 04, 2021 at 04:11:18PM +0100, Dirk-Willem van Gulik wrote:
As it allows key management, verification, etc without necessarily
telling world+dog what you are doing (but for the occasional bulk down
load of some CRLs).
You can dispense with CRLs/OCSP if you use sufficiently short-lived
certificates.
That requires an online CA to certify those short-lived certificates,
but it's online infrastructure that is required only once or twice per
rotation period for any one end entity.
"requires an online" being the key phrase. If you require online, you
can reduce the revocation linger time to zero, and you don't need to
onerous infrastructure of X.509 at all. Naked public keys are our friends.
Mike
