Hacker News new | comments | show | ask | jobs | submit login

With short enough expiry you can actually treat them the same. Where short means hours. If your response time, pushing updates, etc. is going to take hours anyway, revocation starts to lose meaning. And that's before we start talking about methods of revocation which, on public internet, virtually don't exist. Or internal systems, where barely any library actually supports anything better than manually distributed CRLs.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact