Local OCSP?

Posted Aug 27, 2025 21:13 UTC (Wed) by pj (subscriber, #4506)
Parent article: Linux's missing CRL infrastructure

It's mentioned that other OSs handle this... what do they do? I can think of multiple possibilities off the top of my head:

1. maybe decide/define a well-known location for CRLs, like we do for certs and cert chains. Or maybe add a layer of indirection by defining where to find a pointer to said location (config file, soft link, whatever) If FHS changes are in the works, maybe these things could show up there?
2. maybe promulgate a local OCSP server that can be the cache. Then all the apps that talk OCSP can just talk to localhost, kind of like how talking to multiple DNS upstreams is resolved by running a local nameserver.
3. maybe CRL support could get rolled into OpenSSL such that cert verification (which already is usually its own flag, I believe?) now does CRL things as well?

This seems more a social problem than a technical one.

Local OCSP?

Posted Aug 28, 2025 12:34 UTC (Thu) by daroc (editor, #160859) [Link]

As I understand it, macOS centralizes this check through their Keychain service. An app makes a request to know whether a certificate is valid, and the service walks the chain of trust to a trust anchor, checking revocation at each step along the way.

And OpenSSL already supports this kind of thing — you "just" have to enable CRL checking and tell it where to find the CRL file. So yes, you're totally right that this is more of a social problem than a technical one. In my experience, the open source community is generally quite good at solving technical problems, so all the problems that remain so for long are social.