One is not really better, you want both. Certificate revocation lists are loaded out of band and depending on the client can be poorly enforced.

Questions come up: do you block a request if you fail to download the latest CRL? How often do you refresh it?

When the cert expires, it can be removed from the CRL, so shorter lived certs will allow CRLs to be smaller and faster to transfer.

Revoking doesn’t really work.

https://garantir.io/certificate-revocation-challenges-and-be...