Don't forget revocation checking = more centralised control, although they seem to have gone with very-short-lived certificates instead.
Don't forget revocation checking = more centralised control, although they seem to have gone with very-short-lived certificates instead.
It's also literally a centralized trust model though. You know how the saying goes: if you're going to be a criminal, you may as well be the best one in town.
Revocation has many meanings. No central revocation authority is actually enforced by the BRs, as far as I know. Clients can do whatever they want. The CA can say a cert is revoked but no one has to care. Clients can also say a cert is revoked and then all their client instances start rejecting it. Most clients work this way now, like Safari -- they just distribute their own CRLs.
> Don't forget revocation checking = more centralised contro
How so? Doesn't revocation have to be done by the same entity that issued the certificate?