OCSP Stapling

Hi there,

Are there any plans to add OCSP Stapling support to the TLS layer?
Is this something that intends to be supported?


Hey there! Good question.

The short answer is “yes”, but right this second I’d have a hard time giving you a precise timeline — it’s not at the top of our list of things to do, but it’s not at the bottom either. We’re almost certainly going to end up with cached, prefetched OCSP, and there’s a decent list of things that you want to get right with that — Sleevi’s Laws! — about which more here: ocsp-stapling.md · GitHub.

So, not to turn this back around on you, but to turn it back around on you: what’s your level of urgency for OCSP stapling support? Presumably this is about page load performance?

Level of urgency isn’t very high, its mainly for future proofing so that we are HIPAA and NIST compliant.

We’re about to engage with a company to do a pen test for us and I just wanted to make sure I’ve got enough information for questions they may have.

The last two aspects that we need to become compliant from the SSL/TLS side is OCSP Stapling and full ECDSA chain (this one is waiting on Lets Encrypt to start pushing out their new ECDSA root cert).

Interesting. Until must-staple becomes prevalent we’d dialed down the importance of OCSP for security, but you’re right, people are going to get checklisted into wanting it supported.

I’ll try to get a firmer answer here (I know how we’d go about doing it but I’d have to talk to the team about where it’d land on our calendar).