• Google's CRLs from the same intermediate CA (same public key) have different URLs and different content when pulled from different hosts (google.com, youtube.com).
• DigiCert has sharded according to 'assurance' class, algorithm, year and acquisition's name.
• Sectigo also has sharded according to 'assurance' class [1].
• GlobalSign has sharded by the yearly quarter presumably.
• HTTP Cache-Control maxage (or s-maxage), 'Expires' and 'Next Update' within the CRL file are not in sync.
• Some CAs other than Let's Encrypt also do not publish CRL URLs in the leaf certificates.
4 comments
[ 3.8 ms ] story [ 18.4 ms ] threadData is on CRL availability, number of entries, expiry & refresh times, etc. from various x509 leaf server SSL certificates.
[1] https://news.ycombinator.com/item?id=41046956
• Google's CRLs from the same intermediate CA (same public key) have different URLs and different content when pulled from different hosts (google.com, youtube.com).
• DigiCert has sharded according to 'assurance' class, algorithm, year and acquisition's name.
• Sectigo also has sharded according to 'assurance' class [1].
• GlobalSign has sharded by the yearly quarter presumably.
• HTTP Cache-Control maxage (or s-maxage), 'Expires' and 'Next Update' within the CRL file are not in sync.
• Some CAs other than Let's Encrypt also do not publish CRL URLs in the leaf certificates.
[1] https://www.sectigo.com/knowledge-base/detail/Sectigo-Interm...