Some initial observations:<p>• Google's CRLs from the same intermediate CA (same public key) have different URLs and different content when pulled from different hosts (google.com, youtube.com).<p>• DigiCert has sharded according to 'assurance' class, algorithm, year and acquisition's name.<p>• Sectigo also has sharded according to 'assurance' class [1].<p>• GlobalSign has sharded by the yearly quarter presumably.<p>• HTTP Cache-Control maxage (or s-maxage), 'Expires' and 'Next Update' within the CRL file are not in sync.<p>• Some CAs other than Let's Encrypt also do not publish CRL URLs in the leaf certificates.<p>[1] <a href="https://www.sectigo.com/knowledge-base/detail/Sectigo-Intermediate-Certificates-ECC/kA01N000000rfGE" rel="nofollow">https://www.sectigo.com/knowledge-base/detail/Sectigo-Interm...</a>
We collected some data on the viability of only CRLs as the future (phasing out OCSP) - motivated by Let's Encrypt's announcement today [1].<p>Data is on CRL availability, number of entries, expiry & refresh times, etc. from various x509 leaf server SSL certificates.<p>[1] <a href="https://news.ycombinator.com/item?id=41046956">https://news.ycombinator.com/item?id=41046956</a>