Let’s Encrypt Announces Intent to End OCSP Support: A Move Towards Privacy and Efficiency
Let’s Encrypt, a leading provider of free SSL/TLS certificates, has announced its intention to discontinue support for the Online Certificate Status Protocol (OCSP) in favor of Certificate Revocation Lists (CRLs). This strategic move aims to enhance user privacy while streamlining Let’s Encrypt’s operational infrastructure.
OCSP and CRLs are mechanisms used to verify the validity of certificates, but OCSP has been criticized for its potential privacy implications. When a website is accessed, the CA operating the OCSP responder can potentially track which sites are being visited from specific IP addresses. While Let’s Encrypt does not retain this information, it could be compelled to do so under legal circumstances. CRLs, on the other hand, do not pose this privacy risk.
This decision also stems from Let’s Encrypt’s commitment to maintaining a simplified and efficient infrastructure. OCSP has historically consumed significant resources, which can now be reallocated to other operational areas. With the advent of CRL support in 2022, OCSP has become redundant.
Let’s Encrypt’s decision aligns with recent developments in the industry. The CA/Browser Forum, an industry body, recently made OCSP an optional service for publicly trusted CAs. Most root programs, except Microsoft’s, no longer mandate OCSP. Let’s Encrypt anticipates Microsoft will follow suit within the next year, prompting a definitive timeline for OCSP’s discontinuation.
What This Means for Users
This transition should not affect the majority of users who rely on browsers for web access. However, users of non-browser software that depends on OCSP should prepare for the change. Let’s Encrypt recommends ensuring compatibility with certificates lacking an OCSP URL. Most OCSP implementations “fail open,” meaning systems should continue functioning even if an OCSP response is unavailable.
Looking Ahead
Let’s Encrypt encourages all users currently relying on OCSP to initiate the transition to CRLs promptly. Updates on the OCSP phase-out timeline will be available through Let’s Encrypt’s API Announcements category on Discourse.
This move by Let’s Encrypt underscores a growing emphasis on privacy and efficiency within the digital certificate landscape. By prioritizing user privacy and optimizing its infrastructure, Let’s Encrypt is poised to continue providing secure and reliable certificate services in the years to come.
