alt Hacker NewsWas this AI-generated? It seems to keep circling around the same points and have some major misunderstandings.
> If that is the case, why should the server convey the certificate and the OCSP status to the client and defer to the client on the decision not to proceed with the TLS connection? Why shouldn’t the server simply terminate the TLS connection immediately itself?
Why does it matter? You're talking about a scenario that should essentially never happen, who cares about slightly suboptimal performance at that point?
> CRLs only really work efficiently when nobody revokes certificates.
Revocation is an emergency measure, not a routine one. That's ok.
> At this point, why not just use DANE (RFC 6698), store the public keys in the DNS, rely on DNSSEC to provide the necessary authenticity, and use DNS TTL settings to control the cached lifetime of the public key?
Because DNS' multilayered caching makes it notoriously impossible to operate safely or debug. Most large outages already originate in DNS issues; putting the crypto in that layer would redouble it.
Replies
Agreeing with my sibling commenter, this writer is extremely experienced and has been writing this blog for many years. I’d be appalled if this were LLM-written, but thankfully it reads with the same style and tone that he’s always had.
> Revocation is an emergency measure, not a routine one. That's ok.
At the scale modern CAs operate, even emergency measures (i.e. measures that are an emergency for the party receiving the leaf cert) are also routine for the CA/the party granting the leaf cert.
> Because DNS' multilayered caching makes it notoriously impossible to operate safely or debug.
That is not a problem for certs, you are not changing it every second. And the "impossible to operate or debug" is just plain failse or incompetence
> Most large outages already originate in DNS issues; putting the crypto in that layer would redouble it.
That is also just not true. Also, outage of DNS coz someone fucked up configuration management somewhere is not caused by anything related to DNS, it just so happens DNS is essential so any problem is visible.
looks like so, the emojies are dead give away.
I am not against using LLMs, but the author should have validated the contents before posting.
The author has a long history of quality content and should be considered experienced in his field of doing.
In addition to what other commenters have said, it's a copy of a post on their personal blog: https://www.potaroo.net/ispcol/2026-04/revocation.html
On revocation, check out https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Progra... I don't think any CA hasn't had an issue with revocation at some point (e.g. Let's Encrypt had a major one in 2021, and refused to revoke), which is why Let's Encrypt is moving to 7 day certs (so that revocation isn't required, basically https://www.imperialviolet.org/2011/03/18/revocation.html which is mentioned in the article). My impression is CRLs (and by implication current revocation methods) don't work, and browsers are effectively fudging around CAs with custom methods (e.g. allowing existing certs but no new certs from distrusted CAs).
I'm no security expert, but modern bind9 seems to just handle DNSSEC with no issues when I've used it, and given that the "WebPKI" seems is becoming more and more reliant on custom browser code, adopting DANE outside browsers might not be the worst idea.