The description of the shortlived profile says that "they do not need to contain any revocation information", but the features table says that they do contain a CRL. (My certificates, at least, agree with the table.) IMO shortlived certificates should not include a CRL, but until/unless that change is made, the description should make clear that this is only a theoretical advantage, or not mention it at all.
7 Likes
Let's Encrypt originally planned to have no revocation information in their 6 day certificates ("Our six-day certificates will not include OCSP or CRL URLs." [1]). However, it was later revealed that some root programs, including Microsoft and 360 browser, require either CRL or OCSP to be present in all certificates. As such, the removal of revocation support for shortlived certificates was delayed for compliance reasons. As far as I know, removing revocation support (=removing CRLs) is still planned for shortlived, but is blocked by policy changes.
Much of the original documentation around shortlived was probably written with the original assumption in mind. Hopefully in the near future this will also become the reality, but as you correctly noted this isn't the case right now.
13 Likes