Following the blog post of Mozilla security blog Improving Revocation: OCSP Must-Staple and Short-lived Certificates I was wondering if Let’s Encrypt will implement the RFC 7633 (OCSP Must-Staple TLS Feature Extension)?
I think it’s not reasonable expect that Let’s Encrypt implement it for all certificates (because it will imply that all server using Let’s encrypt support it),
but If they plan it, I hope it’s before the end of the beta period.
A less radical option could be
an optional argument during the certificate generation for the client to specify that he want that particular extension (but it could imply and update of the ACME protocol). to accept it when the user request it via the CSR. I think that option will help the check of the revocation status for legitimate certificate (in case the private key gets stolen) but will be less helpful for certificates generated without the consent of the owner of the domain (even if CT could help detect it).