Let’s Encrypt Plans to Discontinue OCSP Digital Certificate Service, Shifting to More Privacy-Focused CRL Protocol
Brook.X
The Online Certificate Status Protocol (OCSP) serves to help browsers identify the validity of digital certificates. Currently, all digital certificates from issuance to usage are logged, allowing browsers to immediately recognize and revoke access if a certificate is revoked.
However, OCSP poses privacy concerns. OCSP servers, operated by Certificate Authorities (CAs), mean that when users access websites, their browsers must request information from these servers. This allows CAs to collect users' IP addresses and know when and which websites users visit.
Although Let’s Encrypt's OCSP servers do not record this sensitive information, there’s no guarantee other CA organizations won't collect user data for profit, marking a privacy flaw.
In 2022, Let’s Encrypt built a Certificate Revocation List (CRL), offering the same functionality as OCSP but with better privacy. CRL does not lead to the collection of users' IP addresses and browsing history by CAs. Hence, Let's Encrypt is now preparing to deprecate the OCSP protocol.
Notably, operating the OCSP protocol requires significant resources due to the vast number of digital certificates issued by Let’s Encrypt. Each time a user accesses a website using a Let’s Encrypt certificate, an OCSP server request is made, putting a considerable strain on the servers.
For these reasons, Let’s Encrypt plans to phase out the OCSP protocol in favor of the CRL protocol within the next 6 to 12 months. The discontinuation of OCSP should not affect current operations since browsers already support the CRL protocol.
The issue lies with Microsoft, which has not yet made OCSP optional, currently considering it mandatory. This means some client programs using Let’s Encrypt certificates might stop working without OCSP support, making Microsoft's support the most significant hurdle at the moment.
Let’s Encrypt optimistically expects Microsoft to make OCSP optional within the next 6 to 12 months. The announcement to discontinue the OCSP protocol also aims to urge Microsoft to take action sooner rather than later. As of now, there has been no response from Microsoft.
