Intent to end OCSP service

Original Article ↗ Hacker News Discussion ↗

Impact on typical Let’s Encrypt users

  • For standard HTTPS sites using ACME (e.g., nginx, Caddy, Apache), commenters say no config changes are needed and nothing will “break,” at least on the current multi‑year timeline.
  • The change mostly affects implementers of revocation‑checking logic, not ordinary server admins.

CRLs vs OCSP: tradeoffs

  • OCSP:
    • Praised for inline, per‑cert status and potential privacy when stapled.
    • Criticized for “fail open” behavior, privacy leaks when queried directly, unreliability, and operational complexity (on‑demand signing, caches, CDNs).
    • Stapling and Must‑Staple exist but are poorly or inconsistently implemented in major servers.
  • CRLs:
    • Historically seen as large and slow; some argue they “don’t scale.”
    • Others note modern partitioned CRLs are small (hundreds of KB), and browsers compress/summarize them (CRLite/CRLsets‑style).
    • Concern that CRLs only list revoked certs, so they can’t detect “forgotten” certificates or unknown status like OCSP can.

Browser strategies and standards changes

  • Major root programs now allow CAs to drop OCSP URLs; Microsoft is the last big holdout still requiring OCSP.
  • Main browsers increasingly rely on push‑based, compressed revocation data derived from CRLs rather than live OCSP checks.

Non‑HTTP / non‑browser and embedded concerns

  • Many non‑browser TLS clients (mail servers, databases, embedded devices) reportedly don’t do revocation checking today.
  • OCSP stapling had been a workable path for some; replacing it with CRLs that must be fetched over HTTP is seen as impractical for many non‑HTTP or minimal clients.
  • Worries that CRL‑only reality will push these ecosystems to simply ignore revocation.

Server behavior, automation, and monitoring

  • Several argue revocation checking is a client responsibility; servers don’t need CRL/OCSP support except for client‑cert auth.
  • Let’s Encrypt promotes automated handling via ACME Renewal Information (ARI), which can return “renew now” for revoked certs, avoiding human email loops.

CA operations, transparency, and revocation data

  • Running OCSP at global scale is described as expensive and brittle, diverting resources from other CA work.
  • Some propose OCSP responders without per‑cert URLs (only via CCADB) to reduce load while preserving transparency; others doubt it would simplify enough.
  • Certificate Transparency logs make it hard for CAs to “forget” issuances, but revocation state still requires separate systems (CRLs/OCSP).