I don't think any browsers still support OCSP.

The problem with OCSP stapling is that it either the client has to fall back to doing OCSP checking itself if the server doesn't staple the signature, which has its own problems[1], or enough servers need to support ocsp stapling that the client can just reject connections that don't include it. And unfortunately, there was never a significant uptake for servers, partly because there wasn't really any incentive to implement OCSP stapling. Maybe if there was a TLS 2.0 (or some other standard) that required OCSP stapling and had other benefits as well, it could work.

[1]: the biggest problem with non-stapled OCSP is what to do if you don't get a response for the ocsp request. If you fail open, an attacker can intercept the request to prevent you from knowing the cert is revoked, but if you fail closed, then any issue with the connection to the ocsp server results in loss of service. And then there are also issues with additional latency to wait for the ocsp response, privacy leaks from the ocsp requests, etc.

▲

Ayesh 2 days ago | parent [-]

If the certificate was issued with must-staple flag, then the server can refuse to connect if the handshake did not include an OCSP response.

web servers can refresh OCSP responses in the background and cache valid responses to add some tolerance against temporarily downtimes in the OCSP server.

▲

thayne 2 days ago | parent [-]

Right, but the vast majoriry of servers don't use must-staple certs. So browsers would need to do something (even if that something is not checking revocations) for all the other connections anyway.

It's really a chicken and egg problem. Browsers don't want to support must-staple because not enough servers use it. And servers don't use it, because browsers don't require it (or even implement it). And now CAs don't support it, because hardly anyone was using it.

Now if CAs started requiring must-staple, that might push it into widespread use. But that would cause a lot of disruption.

	▲	Dylan16807 a day ago \| parent [-]
		If you're willing to put in the effort to implement OCSP in the first place, why not take the couple percent extra time to add must-staple support? This seems like it would have been a very easy to solve chicken and egg problem.