Fast, private and secure (pick three): Introducing CRLite in Firefox

Basically if a site's ssl certificate has been revoked by a Certificate Authority (due to fraud, shenanigans, etc...) Firefox will maintain a local list (~300kb) of all revoked certs. This way, if you visit a site with a revoked cert it will appear as untrustworthy

My hope is this stops, or slows, the shortening of certificate lifetimes. Currently the longest cert you can purchase is a 1 year cert, and google and apple are trying to force 90day, and in 2029 47 day lifetime certs. This is a headache for devices that need certs, but where cert renewals cannot be automated

2 comments

I don't really understand it, but sounds like a nifty advancement!
- Basically if a site's ssl certificate has been revoked by a Certificate Authority (due to fraud, shenanigans, etc...) Firefox will maintain a local list (~300kb) of all revoked certs. This way, if you visit a site with a revoked cert it will appear as untrustworthy
  My hope is this stops, or slows, the shortening of certificate lifetimes. Currently the longest cert you can purchase is a 1 year cert, and google and apple are trying to force 90day, and in 2029 47 day lifetime certs. This is a headache for devices that need certs, but where cert renewals cannot be automated