| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | David Zhang <idrawone(at)gmail(dot)com>, Pgsql Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Proposal for implementing OCSP Stapling in PostgreSQL |
| Date: | 2024-08-14 22:42:51 |
| Message-ID: | CAOYmi+nnkjCKmB3BA_TQpipgsfEjvGyyR6TEGtBTntMAgCqzbw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Aug 7, 2024 at 12:20 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
> While I have only skimmed the patch so far and need more review before I can
> comment on it, I do have a question on the expected use of OCSP support in
> postgres. With OCSP becoming optional [0], and big providers like Let's
> Encrypt deprecating OCSP [1], is this mainly targeting organizations running
> their own CA with in-house OCSP?
That announcement took me by surprise (and, it looks like, a number of
other people [1, 2]). I get that OCSP is expensive and painful for
Let's Encrypt, based on previous outages and blog posts, but I also
figured that Must-Staple was basically the best you could do without
being a browser. It already seemed pretty clear that we shouldn't
build a client-side OCSP check. Throwing server-side stapling under
the bus with it was unexpected.
Some of the LE quotes on the matter are giving me cart-before-horse vibes:
> But it is clear to me OCSP is an ineffective technical dead-end, and we are all better served by moving on to figure out what else we can do.
>
> We may keep OCSP running for some time for certificates that have the must-staple extension, to help smooth the transition, but at this time we don’t have a plan for how to actually deprecate OCSP: just an intent, publicized to ensure we can all begin to plan for a future without it.
It's pretty frustrating to hear about a "transition" when there is
nothing to transition to.
I honestly wonder if they're going to end up walking some of this
back. The messaging reminds me of "that one project" that every
company seems to have, where it's expensive and buggy as heck, all the
maintainers want to see it deleted, and they unilaterally declare over
clients' objections that they will, only to find at the last second
that the cure is worse than the disease and then finally resign
themselves to supporting it. Tears are shed, bridges burned.
Anyways, I look forward to seeing how broken my crystal ball is this
time. The timing is awful for this patchset in particular.
--Jacob
[1] https://community.letsencrypt.org/t/sunsetting-of-ocsp-in-favor-of-older-technology/222589
[2] https://community.letsencrypt.org/t/what-will-happen-to-must-staple/222397
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Munro | 2024-08-14 22:43:50 | Re: Remaining dependency on setlocale() |
| Previous Message | Jelte Fennema-Nio | 2024-08-14 22:40:29 | Opinion poll: Sending an automated email to a thread when it gets added to the commitfest |