GrapheneOS (@[email protected])
grapheneos.social
They've heavily implied that they'll try to implement short-lived certificates in 2025, so there will eventually be a replacement for Must-Staple. It will probably come after Must-Staple has been removed for quite a while already. It's not great having things regress before that.

We’re very disappointed Let’s Encrypt is ending support for proper revocation checks via OCSP Must-Staple which is the only efficient, private and secure method not depending on a browser-specific service:

https://letsencrypt.org/2024/12/05/ending-ocsp/

No replacement is being offered for the feature.

The built-in nginx support for OCSP stapling doesn’t have a way to properly save the last valid result and reuse it but nginx fully supports handling it via an external service. We use https://github.com/tomwassenberg/certbot-ocsp-fetcher for reliable OCSP stapling and it has always worked very well for us.

Short-lived certificates are officially defined as having a 7 day or lower lifetime. It would be a good replacement for OCSP Must-Staple not requiring any client/server support. Let’s Encrypt doesn’t support short-lived certificates and hasn’t announced any plans for adding them.

Let’s Encrypt has been very positive about the concept of short-lived certificates and is likely going to implement them which is great. Removing Must-Staple before those are available isn’t great. Short-lived certificates aren’t even being listed at https://letsencrypt.org/upcoming-features/ yet.

They’ve heavily implied that they’ll try to implement short-lived certificates in 2025, so there will eventually be a replacement for Must-Staple. It will probably come after Must-Staple has been removed for quite a while already. It’s not great having things regress before that.