Dear maintainer, I filed an issue to preserve setting --must-staple for the renewal operation at
https://github.com/certbot/certbot/issues/3844 Without the bugfix applied, certbot's renewal operation silently falls back to creating certificates without that option set. I provided an initial patchset which received further improvements from the community and finally made it into version 0.10. To be able to use the renewal operation together with --must-staple, I kindly ask to update jessie-backports to a recent version of certbot (0.10.0 at least). Relevance: - The information "OSCP Must Staple" is contained in the certificate itself and, given browser support, forces clients to perform a test for revocation and not trust an entity, if the revocation check fails. Scalability issues can be more or less solved by letting web servers cache and serve revocation information (via OSCP Stapling). - I don't want to open up the discussion here, but I think that "OSCP Must Staple" should become a default one day in the future (in the sense of "secure by default"). Best regards Thomas Mayer -- https://www.2bis10.de
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Letsencrypt-devel mailing list [email protected] https://lists.alioth.debian.org/mailman/listinfo/letsencrypt-devel
