• Announcement Details: On July 23, 2024, it is announced that Let's Encrypt intends to end Online Certificate Status Protocol (OCSP) support as soon as possible and favor Certificate Revocation Lists (CRLs). Let's Encrypt has provided an OCSP responder for nearly ten years and added CRL support in 2022.
• Privacy Concerns: OCSP poses a significant privacy risk as the CA operating the OCSP responder becomes aware of the visited website from the visitor's IP address. CRLs do not have this issue.
• Operational Reasons: Keeping the CA infrastructure simple is crucial for Let's Encrypt's compliance, reliability, and efficiency. Operating OCSP services has consumed considerable resources that can be better used elsewhere, and now that CRLs are supported, the OCSP service is unnecessary.
• CA/Browser Forum Decision: In August 2023, the CA/Browser Forum passed a ballot making OCSP services optional for publicly trusted CAs like Let's Encrypt. Microsoft is the only exception, and once the Microsoft Root Program also makes OCSP optional (expected within 6 to 12 months), Let's Encrypt will announce a specific timeline to shut down OCSP services and aim to serve the last OCSP response 3 to 6 months after the announcement. Subscribing to the API Announcements category on Discourse is the best way to stay updated.
• Recommendation: Those relying on OCSP services should start ending that reliance as soon as possible. For Let's Encrypt certificates used in non-browser communications like VPN, ensure software works correctly without OCSP URL as most OCSP implementations "fail open".
• Organization Information: Internet Security Research Group (ISRG) is the parent organization of Let's Encrypt, Prossimo, and Divvi Up. It is a 501(c)(3) nonprofit. Consider getting involved, donating, or encouraging the company to become a sponsor to support their work.