letsencrypt 结束OCSP
今天,我们宣布我们打算尽快终止对在线证书状态协议(OCSP)的支持,转而支持证书撤销列表(crl)。
Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible.
OCSP和crl都是ca通信证书撤销信息的机制,但是crl比OCSP有明显的优势。
OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP.
Let 's Encrypt自近十年前推出以来一直提供OCSP响应器。
Let’s Encrypt has been providing an OCSP responder since our launch nearly ten years ago.
我们在2022年增加了对crl的支持。
We added support for CRLs in 2022.
网站和访问它们的人不会受到这一变化的影响,但一些非浏览器软件可能会受到影响。
Websites and people who visit them will not be affected by this change, but some non-browser software might be.
我们计划终止对OCSP的支持,主要是因为它对互联网上的隐私构成了相当大的风险。
We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet.
当有人使用浏览器或其他通过OCSP检查证书撤销的软件访问网站时,操作OCSP响应器的证书颁发机构(CA)立即意识到访问者的特定IP地址正在访问哪个网站。
When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address.
即使CA有意不保留这些信息(Let’s Encrypt就是这种情况),CA也可能在法律上被强制收集这些信息。
Even when a CA intentionally does not retain this information, as is the case with Let’s Encrypt, CAs could be legally compelled to collect it.
crl没有这个问题。
CRLs do not have this issue.
我们之所以采取这一步骤,还因为保持CA基础设施尽可能简单对于Let’s Encrypt的一致性、可靠性和效率的连续性至关重要。
We are also taking this step because keeping our CA infrastructure as simple as possible is critical for the continuity of compliance, reliability, and efficiency at Let’s Encrypt.
自我们成立以来的每一年,营运OCSP服务都占用了相当多的资源,而这些资源本可以更好地用于我们其他方面的运作。
For every year that we have existed, operating OCSP services has taken up considerable resources that can soon be better spent on other aspects of our operations.
现在我们支持crl,我们的OCSP服务就没有必要了。
Now that we support CRLs, our OCSP service has become unnecessary.
2023年8月,CA/浏览器论坛通过了一项投票,决定为公开信任的CA(如Let’s Encrypt)提供可选的OCSP服务。
In August of 2023 the CA/Browser Forum passed a ballot to make providing OCSP services optional for publicly trusted CAs like Let’s Encrypt.
除了一个例外,微软,根程序本身不再需要OCSP。
With one exception, Microsoft, the root programs themselves no longer require OCSP.
一旦微软根程序也使OCSP可选,我们乐观地认为这将在未来6到12个月内发生,Let 's Encrypt打算宣布关闭我们的OCSP服务的具体和快速时间表。
As soon as the Microsoft Root Program also makes OCSP optional, which we are optimistic will happen within the next six to twelve months, Let’s Encrypt intends to announce a specific and rapid timeline for shutting down our OCSP services.
我们希望在公告发布后的三到六个月内提供最后一次OCSP响应。
We hope to serve our last OCSP response between three and six months after that announcement.
了解这些计划更新的最佳方式是订阅我们在Discourse上的API announcement类别。
The best way to stay apprised of updates on these plans is to subscribe to our API Announcements category on Discourse.
我们建议现在依赖OCSP服务的任何人尽快开始结束这种依赖的过程。
We recommend that anyone relying on OCSP services today start the process of ending that reliance as soon as possible.
如果您使用Let 's Encrypt证书来保护非浏览器通信(如VPN),则如果证书不包含OCSP URL,则应确保您的软件正常运行。
If you use Let’s Encrypt certificates to secure non-browser communications such as a VPN, you should ensure that your software operates correctly if certificates contain no OCSP URL.
幸运的是,大多数OCSP实现“打开失败”,这意味着无法获取OCSP响应不会破坏系统。
Fortunately, most OCSP implementations “fail open” which means that an inability to fetch an OCSP response will not break the system.
互联网安全研究小组(ISRG)是Let’s Encrypt、Prossimo和Divvi Up的上级组织。
Internet Security Research Group (ISRG) is the parent organization of Let’s Encrypt, Prossimo, and Divvi Up.
ISRG是一家501(c)(3)非营利组织。
ISRG is a 501(c)(3) nonprofit.
如果你想支持我们的工作,请考虑参与,捐赠,或鼓励你的公司成为赞助商。
If you’d like to support our work, please consider getting involved, donating, or encouraging your company to become a sponsor.