Let's Encrypt to end OCSP support in 2025

Wouldn&#x27;t it be a better idea to use the original blog post direct from Lets Encrypt[1]?<p>[1] <a href="https:&#x2F;&#x2F;letsencrypt.org&#x2F;2024&#x2F;12&#x2F;05&#x2F;ending-ocsp&#x2F;" rel="nofollow">https:&#x2F;&#x2F;letsencrypt.org&#x2F;2024&#x2F;12&#x2F;05&#x2F;ending-ocsp&#x2F;</a>?

&gt; What do we do if the OCSP Responder is down? Well, it turns out, clients don&#x27;t really care and they just skip the check and accept the certificate anyway, making the whole thing pointless. OCSP checking add no security!<p>Don&#x27;t agree with this statement. It&#x27;s only adding no security when the CA is down. In case a Cert is revoked and the OCSP is up, it will be blocked.<p>But I understand their reasons to drop it.

I went through a similar journey when trying to figure out how to revoke JWTs, i.e. forcefully sign out everywhere.<p>We ended up on the following: Either you accept the fact that once signed, it has a life on its own until it expires, or the issuer becomes the single point of failure.<p>Another issue we dealt with was validating that the person doing the request with a JWT was the owner of the JWT, and not someone who stole it. A possible fix? Distribute private keys to clients, and have them sign the JWTs on the fly. How do you check for revoked private keys? Catch-22.

Discussion (422 points, 5 months ago, 108 comments) <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41046956">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41046956</a>