Re: Proposal for implementing OCSP Stapling in PostgreSQL - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: Proposal for implementing OCSP Stapling in PostgreSQL
Date
Msg-id CAOYmi+nnkjCKmB3BA_TQpipgsfEjvGyyR6TEGtBTntMAgCqzbw@mail.gmail.com
Whole thread Raw
In response to Re: Proposal for implementing OCSP Stapling in PostgreSQL  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: Proposal for implementing OCSP Stapling in PostgreSQL
List pgsql-hackers
On Wed, Aug 7, 2024 at 12:20 AM Daniel Gustafsson <daniel@yesql.se> wrote:
>
> While I have only skimmed the patch so far and need more review before I can
> comment on it, I do have a question on the expected use of OCSP support in
> postgres.  With OCSP becoming optional [0], and big providers like Let's
> Encrypt deprecating OCSP [1], is this mainly targeting organizations running
> their own CA with in-house OCSP?

That announcement took me by surprise (and, it looks like, a number of
other people [1, 2]). I get that OCSP is expensive and painful for
Let's Encrypt, based on previous outages and blog posts, but I also
figured that Must-Staple was basically the best you could do without
being a browser. It already seemed pretty clear that we shouldn't
build a client-side OCSP check. Throwing server-side stapling under
the bus with it was unexpected.

Some of the LE quotes on the matter are giving me cart-before-horse vibes:

> But it is clear to me OCSP is an ineffective technical dead-end, and we are all better served by moving on to figure
outwhat else we can do. 
>
> We may keep OCSP running for some time for certificates that have the must-staple extension, to help smooth the
transition,but at this time we don’t have a plan for how to actually deprecate OCSP: just an intent, publicized to
ensurewe can all begin to plan for a future without it. 

It's pretty frustrating to hear about a "transition" when there is
nothing to transition to.

I honestly wonder if they're going to end up walking some of this
back. The messaging reminds me of "that one project" that every
company seems to have, where it's expensive and buggy as heck, all the
maintainers want to see it deleted, and they unilaterally declare over
clients' objections that they will, only to find at the last second
that the cure is worse than the disease and then finally resign
themselves to supporting it. Tears are shed, bridges burned.

Anyways, I look forward to seeing how broken my crystal ball is this
time. The timing is awful for this patchset in particular.

--Jacob

[1] https://community.letsencrypt.org/t/sunsetting-of-ocsp-in-favor-of-older-technology/222589
[2] https://community.letsencrypt.org/t/what-will-happen-to-must-staple/222397



pgsql-hackers by date:

Previous
From: Jelte Fennema-Nio
Date:
Subject: Opinion poll: Sending an automated email to a thread when it gets added to the commitfest
Next
From: Thomas Munro
Date:
Subject: Re: Remaining dependency on setlocale()