On Wed, Aug 7, 2024 at 12:20 AM Daniel Gustafsson <dan...@yesql.se> wrote: > > While I have only skimmed the patch so far and need more review before I can > comment on it, I do have a question on the expected use of OCSP support in > postgres. With OCSP becoming optional [0], and big providers like Let's > Encrypt deprecating OCSP [1], is this mainly targeting organizations running > their own CA with in-house OCSP?
That announcement took me by surprise (and, it looks like, a number of other people [1, 2]). I get that OCSP is expensive and painful for Let's Encrypt, based on previous outages and blog posts, but I also figured that Must-Staple was basically the best you could do without being a browser. It already seemed pretty clear that we shouldn't build a client-side OCSP check. Throwing server-side stapling under the bus with it was unexpected. Some of the LE quotes on the matter are giving me cart-before-horse vibes: > But it is clear to me OCSP is an ineffective technical dead-end, and we are > all better served by moving on to figure out what else we can do. > > We may keep OCSP running for some time for certificates that have the > must-staple extension, to help smooth the transition, but at this time we > don’t have a plan for how to actually deprecate OCSP: just an intent, > publicized to ensure we can all begin to plan for a future without it. It's pretty frustrating to hear about a "transition" when there is nothing to transition to. I honestly wonder if they're going to end up walking some of this back. The messaging reminds me of "that one project" that every company seems to have, where it's expensive and buggy as heck, all the maintainers want to see it deleted, and they unilaterally declare over clients' objections that they will, only to find at the last second that the cure is worse than the disease and then finally resign themselves to supporting it. Tears are shed, bridges burned. Anyways, I look forward to seeing how broken my crystal ball is this time. The timing is awful for this patchset in particular. --Jacob [1] https://community.letsencrypt.org/t/sunsetting-of-ocsp-in-favor-of-older-technology/222589 [2] https://community.letsencrypt.org/t/what-will-happen-to-must-staple/222397
