> There's a potential problematic practice here, which is "long time > period between CRL issuance".
My understanding is that the update frequency of the CRLs is important in regards to the end-entity certificates, not necessarily at the CA level. These URLs are the CRLs at the CA level, and their update frequency is indeed long unless there is a revocation of a sub-CA: http://fedir.comsign.co.il/crl/ComSignCA.crl http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl These URLs are at the end-entity cert level: http://fedir.comsign.co.il/crl/ServerCA.crl http://fedir.comsign.co.il/crl/corporate.crl You will see that their next expected update is tomorrow. In regards to the CRL update frequency for end-entity certs, ComSign’s CPS Section 4.4.2 says “ComSign will publish a new CRL the earliest of not later than every 24 hours or immediately following revocation of a certificate.” -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto