• Feisty Duck's Cryptography & Security Newsletter: A periodic dispatch with commentary and news on cryptography, security, etc. Written by [Ivan Ristić] and enjoyed by over 50,000 subscribers.
• Let's Encrypt's OCSP Decision: In late 2024, Let's Encrypt announced it would stop supporting online certificate revocation checking and shut down its OCSP servers from early May 2025. The reason is that OCSP doesn't make anyone more secure and is costly. Let's Encrypt services about twelve billion OCSP requests daily.
• Switch to Short-Lived Certificates: To get better security, switch to short-lived certificates of only six days. Let's Encrypt will start offering them later in 2025.
• History of OCSP: Began with Certificate Revocation Lists (CRLs) but had issues at world scale. OCSP was standardized in 1999 but browsers didn't prioritize implementation. Performance and reliability problems led to soft-fail OCSP checking. Chrome disabled OCSP in 2012.
• Details of OCSP: Responses are cached for about seven days. There's a vulnerability to replay attacks. It leaks personal information. OCSP stapling solves performance and privacy issues but wasn't implemented by Chrome and Safari.
• Back to CRLs: With OCSP virtually over, major browser vendors use proprietary revocation checking based on continuous processing of CRLs.
• Conclusion: OCSP is unlikely to recover as no one cares. It may be used in private environments. Short-lived certificates offer a plausible revocation checking story.