The way that browsers perform SSL certificate-revocation checking is so fundamentally flawed that some browser vendors have turned it off altogether, according to browser vendor representatives in a panel at RSA last week.
Moderated by a Certificate Authority (CA) representative, the panel involved key players from Mozilla, Google, and Opera, who all put forward potential solutions to the problem of how to check the valid status of SSL certificates issued by CAs.

At the moment, sites depend on two methods for checking the valid status of SSL certificates online. One is through a certificate revocation list (CRL) published by the CAs, which post revoked certificates periodically on these lists. The other is through the Online Certificate Status Protocol (OCSP) responder systems CAs have in place to relay the up-to-date status of the certificate for a site to a user's browser when the user visits the site.

The link for this article located at Dark Reading is no longer available.