On Thu, Mar 04, 2021 at 09:07:51AM -0800, Michael Thomas wrote: > On 3/4/21 7:54 AM, Nico Williams wrote: > > You can dispense with CRLs/OCSP if you use sufficiently short-lived > > certificates. > > > > That requires an online CA to certify those short-lived certificates, > > but it's online infrastructure that is required only once or twice per > > rotation period for any one end entity. > > "requires an online" being the key phrase. If you require online, you can > reduce the revocation linger time to zero, and you don't need to onerous > infrastructure of X.509 at all. Naked public keys are our friends. The "... that is required only once or twice per rotation period for any one end entity" part is an essential modifier to "requires an online". You can't focus on the "requires an online" without addressing the other part. Nico --
