Subj : [$] Linux's missing CRL infrastructure
To   : All
From : LWN.net
Date : Tue Aug 26 2025 06:40:07



In July 2024,

Let's Encrypt, the nonprofit TLS certificate authority (CA),

announced
that it would be ending support for the

online certificate status protocol
(OCSP), which is used to determine when a server's signing certificate has been
revoked. This prevents a compromised key from being used to impersonate a web
server.
The organization cited privacy concerns, and recommended that people
rely on

certificate revocation lists (CRLs)
instead. On August˙6, Let's Encrypt
followed through and disabled its OCSP service. This poses a
problem for Linux systems that must now rely on CRLs because, unlike on other
operating systems, there is no standardized way for Linux programs to share a
CRL cache.

https://lwn.net/Articles/1033809/
--- SBBSecho 3.29-Linux
 * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (86:200/23)

.