Let's Encrypt plans to drop support for OCSP

Let's Encrypt hasannouncedthat it intends to end support "as soon as possible" for the Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as alighter-weight alternative toCertificate Revocation Lists (CRLs) that did not involve downloadingthe entire CRL in order to check whether a certificate was valid. Let's Encrypt will continuesupporting OCSP as long as it is a requirement for Microsoft'sTrusted Root Program, but hopes to discontinue it soon:

We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor's particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let's Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.

People using Let's Encrypt as their CA should, for the most part, not need to change their setups.All modern browsers support CRLs, so end-users shouldn't notice an impact either.