"And let's not pretend users aren't already sending all the hostnames they are visiting to their selected DNS server. Why is that somehow okay, but OCSP not?"

Running your own DNS server is rather easier than messing with OCSP. You do at least have a choice, even if it is bloody complicated.

SSL certs (and I refuse to call them TLS) will soon have a required lifetime of forty something days. OCSP and the rest becomes moot.

▲

dogma1138 2 days ago | parent [-]

You still are reaching out to authoritative servers for that domain so someone else other than the destination knows what you are looking for.

The 47 day life expectancy isn’t going to come until 2029 and it might get pushed.

Also 47 days is still too long if certificates are compromised.

▲

the8472 2 days ago | parent | next [-]

The authoritative servers for a domain are likely to be operated by the same entity as the domain itself.

▲

cyberax 2 days ago | parent | prev [-]

You can request 6-day certificates from Let's Encrypt. There's a clear path towards 24-hour certificates. This will be pretty much equivalent to the current status quo with the OCSP stapling.

▲

akerl_ a day ago | parent [-]

Is that live yet? (Not asking to be critical; I was keeping an eye out because I wanted to migrate but last I saw, 6 day certs were still in testing-only).

	▲	cyberax a day ago \| parent [-]
		It's in a beta now, they are planning to release it very very soon.