Certificate revocation has always been broken in practice. OCSP is slow. It creates privacy issues. CRL distribution is a mess. Honestly most implementations just fail open when they can't reach the revocation server. The real problem is that revocation assumes a perfect world where compromised certificates are immediately reported and revoked. In reality, most breaches go undetected for months…