Every time I look at certificate management, I wonder how the fuck is it possible that this god-forsaken mess of technology can possibly work. And today, Microsoft has reinforced that feeling one more time.

Microsoft has a file format called "STL" (don't ask me what it is for), where they keep the list of certificates they trust, along with some metadata for each certs.

Some of those metadata include whether this certificate has been deprecated, which is really important to avoid having problems if a certificate ends up in the wrong hands. So far, so good, this all makes sense.

So Microsoft has five different ways to handle deprecation (which is a bit much, but ah well), all described in this document (which was not saved on the wayback machine before today, if you can believe that).