diff --git a/content/posts/post-ocsp-revocation.md b/content/posts/post-ocsp-revocation.md
index 6ff7c03..3e6a29a 100644
--- a/content/posts/post-ocsp-revocation.md
+++ b/content/posts/post-ocsp-revocation.md
@@ -307,7 +307,7 @@ Today, Certificate Authority Authorization (CAA) DNS records restri
- Restrict issuance to short-lived certificates.
- Restrict approved delegates for delegated credentials.
-With the first extension, an attacker who triggers a misissuance would compromise it for a few days or hours months. The second extension limits the potential for rogue delegates to serve traffic on behalf of an IdO.
+With the first extension, an attacker who triggers a misissuance would compromise it for a few days or hours rather than months. The second extension limits the potential for rogue delegates to serve traffic on behalf of an IdO.
I want to see the protections offered by Expect-Staple preloading for short-lived certificates. HTTPS Resource Records (RRs) or client-side preload lists can proactively tell clients to distrust any long-lived certificate for a domain.[^12]