APNIC argues that X.509 certificate revocation is widely considered broken, and the underlying CA infrastructure was not designed for modern internet scale.
Key Takeaways
“Revocation is broken” is a standing catchphrase in PKI and Certificate Authority circles, not a fringe view.
X.509 certificate revocation mechanisms were designed for an earlier, smaller internet and struggle under current scale and threat models.
APNIC, as a regional internet registry, is examining the structural mismatch between how revocation was specified and how it must operate today.
The post frames this as an infrastructure design problem, not a configuration or operational failure.
