Originally Posted by gqZJzU4vusf0Z2,$d7

- Too few Certificate Authorities are following the rules re: certificate
revocation. By contract; a certificate authority is obligated to revoke
certificates within 24 hours if there is evidence of a key compromise.

--- A private key is considered to be compromised if its value has been
--- disclosed;
--- *OR*
--- If there exists a practical technique by which an unauthorized
--- person may discover its value (private key). This did not happen
--- and is not yet happening. There should have been ~500k
--- revocations by now ... and we've seen only a trickle.

- IMHO; the certificate revocation infrastructure has failed us. It needs
to be re-architected. I suggest starting with something more in the
spirit of DNSsec.