IMO putting OCSP or CRLs in public SSL certificates was never a particularly good idea because the only likely case for a revocation is when a CA fails to validate a customer. That has happened but not often enough to motivate the building of new infrastructure.
It seems like an easier way to just roll your own certs if you want to screw somebody because it is a fairly risky business exposing your identity when you are in a fraudulent mode :-) Somewhat related: It seems that few VPNs perform verification checks except during login which casts a certain shaddow over the verification concept for mobile devices. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
