nCRL
design made it worse
nCLRs
can contain retroactive invalidity dates
nA
CRL issued today can say a cert was invalid as of last week.
nChecking
that something was valid at time t wasn’t sufficient!
nBack-dated
CRLs can appear at any time in the future
nIf
you rely on certs & CRLs you’re screwed because the CA can change the rules out
from under
you later.