Offtopic: Just for my interest, where does the extra load come from? And is it significant? OCSP's need to be signed anyway and LE doesn't use CRL's.
Hi @osiris,
Revocation doesn’t cause any significant additional load on our end. I’m not sure where I got that idea but thinking it through & checking with others I’ve learned it’s not true. I edited my response on the initial thread to clarify that the reason revocation should be skipped short of suspecting key compromise is that it’s just extra work without a lot of tangible benefit.
Thanks for asking & prompting the thought experiment 
3 Likes
Well, could be there was some extra load somewhere, but good to know there isn’t!
What exactly happens then? Does LE continue to sign OCSP responses with a negative status? (Not sure about the inner details of OCSP responses).
Assuming the world had globally transitioned to OCSP must-staple, would it then even reduce the load since LE could just stop signing OCSP responses at all?
The CA basically keeps resigning the "REVOKED" response, like any other OCSP response. BRs state that:
Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate
and
The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.
So yeah, same signing load. I suppose it wouldn't be strictly necessary in a Must-Staple-only world, but probably not worth it to change the relevant RFCs and BRs since revocation is rather uncommon.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.