On Tue, 2012-12-11 at 12:59 -0800, Juan Lang wrote:
Getting the client to trust the server cert can be as easy as ignoring untrusted root errors, if you don't think this impacts the revocation results.
Returning revocation is straightforward enough, assuming you have a server under your control.
So self-sign the CRL too. I guess that might work if ignoring untrusted root errors extends to verification of the CRL.