|
|
|
|
|
|
by thayne
270 days ago
|
|
|
Browsers and CAs did support `must-staple`. Then they decided to drop support for OCSP altogether, in part because not enough servers were using must-staple (or ocsp stapling at all). As for server implementaions. Most servers, sure it isn't that much harder to use `must-staple`, if you are already doing ocsp stapling. But most servers don't do the stapling at all, because there isn't a strong reason to, and you need to set up a system to periodically fetch and cache the OCSP signatures, and whatever system you use to terminate TLS needs to support it. |
|
|