New blog post: Post-OCSP certificate revocation in the Web PKI.

With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.

I think this is the most comprehensive current look at certificate revocation right now.

#security #WebPKI #LetsEncrypt #TLS #OCSP

For a blog post I’m writing about dealing with certificate revocation, here are the topics I’m covering:

• OCSP (inc. stapling, must-staple, the never-adopted expect-staple, discontinuation from BoringSSL and Let’s Encrypt)
• CRLs, inc. CRLite, CRLSets, and Let’s Revoke.
• Short-lived certs (inc. ACME-STAR, Delegated Credentials, and notAfter)

Anything else I should cover?

#WebPKI #TLS

Do you like security? Do you like privacy? Cryptography? Do you like working for a public benefit non-profit instead of an investor-beholden corporation?

Let's Encrypt is hiring for someone to join our SRE team and help run the largest Certificate Authority in the world! Come work with me and some of the most wonderful folks in tech, to make the web a better place.

abetterinternet.org/careers/le…

#jobs #sre #webPKI #security #privacy #cryptography

Let's Encrypt Software Engineer (SRE)

Posted: September 29, 2022 Start Date: January 2023 Position Status: Open Location: Remote within US Compensation: $140k USD, 100% 401k Match, Excellent Insurance We’re making HTTPS easier for developers to use, we’re doing it at scale, and we need y…

^{Internet Security Research Group}