It's because CRLs/OCSP sucks so now short expiration is rolling out. | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kxxt 5 days ago \| parent \| context \| favorite \| on: F-Droid site certificate expired It's because CRLs/OCSP sucks so now short expiration is rolling out.

ozim 5 days ago [–]

CRL doesn’t suck it is just not easy problem on web scale.

But seems like there is feasible solution: https://hacks.mozilla.org/2025/08/crlite-fast-private-and-co...

aaomidi 5 days ago | [–]

AKA they suck in this context

ozim 5 days ago | | [–]

Was CRL designed with this context in mind?

aaomidi 5 days ago | | [–]

Doesn’t matter. I think we’re fighting semantics.

Certificates are cached trust, and all the cache busting problem applies here.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact