CA/Browser Forum declared OCSP as optional

[TheLoxe]

In 2023 the CA/Browser Forum decided to make OCSP optional and only require CRLs for certificates and browsers to be supported. Sources: https://cabforum.org/2023/07/14/ballot-sc-063-v4-make-ocsp-optional-require-crls-and-incentivize-automation/

https://github.com/cabforum/servercert/commit/90a98dc7c1131eaab01af411968aa7330d315b9b

Therefore, please change disable_ocsp_stabling to enable_ocsp_stabling and leave the default setting set to false.

[francislavoie]

It makes no sense to turn it off by default. OCSP stapling is a huge benefit to users and server operators. It means browsers don't need to hit the responders (saving a lot of traffic globally), it means the server can check periodically for revocation (which is not unheard of if a CA has a bug, mass revocation events happen).

The only time it makes sense to turn off is if your server isn't able to reach OCSP responders anyway, due to network conditions. But that's rare.

[TheLoxe]

Ok but then please improve the cli output. Currently it shows up as an error but it should be more just an information.

Google, Mozilla, etc. won't use OCSP in the future so it won't be the "huge benefit" you describe. (You can see within the ballot that Google, Mozilla and Apple voted for the change, not against it.)

[francislavoie]

What error?

[mholt]

Caddy is neither a web browser nor a CA; the CAB forum rules do not apply to web servers. The new rule simply changes the requirements regarding OCSP for CAs to be trusted by web browsers, this has no affect on web servers.

Most CAs are still operating OCSP responders. Disabling OCSP stapling puts Web security at a disadvantage this point. OCSP stapling is a privacy enhancement and traffic reducer. Caddy will not be disabling it by default.

Any errors encountered during OCSP stapling, however, are not treated as fatal/blockers, they are logged, but not as errors.

I don't think there's anything actionable for us to do at this time, so I'll close this issue.