>
>
> I'm not quite sure I follow you here.  OCSP is the online query stuff,
> and is something that gnutls doesn't do, I think, and which is probably
> not something we want to do either.  (Chrome doesn't, for instance.)
>
>
GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This
is how you do it
<https://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html#OCSP-certificate-status-checking>
according to the manual.

Chrome's primary check OOTB is its own curated CRLSet, but it does use OCSP
for some EV certs, and relies on the underlying library to do OCSP
<https://dev.chromium.org/Home/chromium-security/crlsets>. You can also
enable it in Chrome if you want.



> But a certificate revocation list is something we could consider
> distributing via ELPA, but that's a bigger project...
>
>
No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`)
it looks for now, the same can be done for CRL files. Users can
periodically update their CA bundle and CRL bundle. The CA bundle on *nix
is typically Mozilla's, which is covered by the default list in
`gnutls-trustfiles`. A complete list of CRL in PEM format typically don't
exists on most systems, but can be generated with `igtf-ca-bundle` +
`fetch-crl`. I just generated them on macOS via MacPorts, Linux should also
be a matter of installing a few packages and running `fetch-crl`.


> Or do you mean OCSP stapling?  There's so much going on in this area
> (because it's a clusterfuck to begin with) that it can be challenging
> keeping track.  :-)
>
>
Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP
above.