[$] Linux's missing CRL infrastructure

In July 2024,Let's Encrypt, the nonprofit TLS certificate authority (CA),announcedthat it would be ending support for theonline certificate status protocol(OCSP), which is used to determine when a server's signing certificate has beenrevoked. This prevents a compromised key from being used to impersonate a webserver.The organization cited privacy concerns, and recommended that peoplerely oncertificate revocation lists (CRLs)instead. On August6, Let's Encryptfollowed through and disabled its OCSP service. This poses aproblem for Linux systems that must now rely on CRLs because, unlike on otheroperating systems, there is no standardized way for Linux programs to share aCRL cache.