Revocations works great in theory, and in theory & practice particularly in DOD.

The problem is a ton of certificate authorities consciously chose not to produce validation data previously, created insecure CAs, chose not to cache validation data, had knee jerk reactions to potential exposures, and many industries chose not to invest in technical capability to make revocation data available, performant, resilient, failing-over, failing gracefully, etc.

MITM is now the default for half the enterprise security solutions operating with cert to website “suspected good whitelists” which makes new domains on HN nigh unreadable