well must staple is also optional for pretty much similar reasons:
clients must understand it.
That doesn’t mean it needs to be optional, since clients that do not understand it will ignore it.
(Same as your “must check” flag).
if OCSP is down while the server wants to fetch it, well forget it
The main difference, and what I think you are failing to grasp, is that stapling only needs the OCSP service to be available once in a while from the server, and ACME itself makes the very same assumption (you need to talk to the ACME server to renew the certificate, obviously).
On the other hand, your “hardfail” flag requires the OCSP service to be available all the time, from all clients.
the server doesnt support OCSP stapling which might especially the case when you are either talking about non-http servers or services that bring their own server on their own port like qwebirc or whatever
Those service also have hosts of other issues, starting with obsolete TLS versions (or even SSLv3!) and ciphersuites, and
<SSL vuln of the month with a cheesy name>. Also, nothing prevents the sysadmin from using any other kind of TLS front-end (usually as part of their reverse-proxy).
To sum it up, having a “OCSP hardfail” flag has the following drawbacks, compared to “OCSP Must Stable”, for no apparent advantage:
- higher load on the OCSP infrastructure;
- much higher reliability requirements on the OCSP infra and the client connectivity, which brings a notable DoS vector;
- requires a TLS extension that doesn’t even exist as a draft (whereas Mozilla and others have at least experimented with Must-Staple).
In any case, this seems off-topic in this thread and I think you should have a look at Adam Langley’s note, linked earlier.