CAcert System Admins discussion list

["Philipp Gühring" <pg AT futureware.at>]

Hi,

Regarding stripping certificates from the CRLs, I suggest to only strip
server certificates, which are seldomly used for long-term applications
like digital signatures, and not to strip client certificates.

Some time ago, I switched the CRLs from www.cacert.org to crl.cacert.org,
so that we can easily add more machines(mirrors) in different locations
that can host crl.cacert.org. The secondary servers can get their main
copy from www.cacert.org, where they are original CRLs are hosted. Since
the CRLs are digitally signed, we only have to check those mirrors for
availability and freshness, but evil mirrors cannot do any harm besides
not delivering the correct CRLs.

But my general suggestion is that we should stop CRL issuing as a whole in
the long term. As a first step, I would not offer the links on the website
anymore.
Or perhaps add a donation page as an intermediate page when someone wants
to download the CRL explicitly from the website, and explain the people
that it costs us enourmous amounts of traffic.
Do we have any applications out there that really absolutely need CRLs,
and can't do OCSP at all? I would expect most applications to have already
switched over to OCSP, and perhaps only have CRLs as fallback supported,
or am I wrong there?
I currently only know one use-case you CRLs for, that OCSP does not:
Analyzing how many certificates a CA has issued, in total and over time.

Best regards,
Philipp Gühring