Let’s Encrypt has announced plans to shut down the Online Certificate Status Protocol (OCSP) servers used to check if certificates have been revoked. Instead, they will start publishing lists of revoked certificates through Certificate Revocation Lists (CRLs) soon.
CRL is a long-standing method of notifying revoked certificates, but it has the drawback of delayed notifications, sometimes taking days or even weeks. OCSP was introduced to address this issue by allowing browsers to check certificates in real-time. However, this method has the downside of exposing users’ IP addresses to OCSP providers across the globe.
While CRLs have been continuously improved, with publication times reduced to just a few hours nowadays, Let’s Encrypt only started using CRLs in 2022. The CA/Browser Forum has voted to require CAs to provide OCSP services until August 2023. However, the Microsoft Root Program is still enforcing this requirement, but it is expected to be lifted within the next 6-12 months. After that, Let’s Encrypt will also phase out OCSP support.
Source: Let’s Encrypt
TLDR: Let’s Encrypt will stop using OCSP and switch to CRLs for publishing revoked certificates, following industry changes and advancements in certificate validation protocols.
Leave a Comment