Re: Proposal for implementing OCSP Stapling in PostgreSQL

On Mon, Sep 2, 2024 at 5:55 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> I guess they prefer that orgs transition back to just using CRL's.

From a practical perspective, I don't think anyone but browsers can do
that right now. Best I can tell, there's no CRLite client other than
Firefox, and Google's CRLSets look like a manual emergency system
rather than a general-purpose tool.

I don't think we could do it manually even if we wanted to (and we
don't want to, IMHO, for a whole host of reasons). As one specific
example, take the certificate for postgresql.org. There's no CRL
distribution point listed, and an LE blog post [1] from a couple years
back implies that they have no plans to make those available to us:

Although we will be producing CRLs which cover all certificates that we
issue, we will not be including those URLs in the CRL Distribution Point
extension of our certificates. [...] Our new CRL URLs will be disclosed
only in CCADB, so that the Apple and Mozilla root programs can consume
them without exposing them to potentially large download traffic from
the rest of the internet at large.

Frankly, it looks like they have no plan for non-browser clients. It's
feeling like one of those "Web" vs. "Internet" splits.

--Jacob

[1] https://letsencrypt.org/2022/09/07/new-life-for-crls.html