I think a valid point of criticism is that this increases the centralization of the web.
I think it's already a notable shift that an HTTPS server must periodically connect to the internet in some way to get a renewed certificate - but with OCSP Stapling, the requirement seems to be that the server queries the CA in realtime, i.e. has a permanent internet connection.
All of this is clearly necessary to keep HTTPS secure (as the article described very well) and wouldn't be a problem if the end goal weren't to make HTTPS the only option to serve web pages - but as things are going now, together with DoH, it really feels that browsers have changed from being tools to view HTML documents to front-ends for yet another platform.
> I think a valid point of criticism is that this increases the centralization of the web.
this = ??? OCSP stapling?
I fail to see how it increases centralization.
> I think it's already a notable shift that an HTTPS server must periodically connect to the internet in some way to get a renewed certificate - but with OCSP Stapling, the requirement seems to be that the server queries the CA in realtime, i.e. has a permanent internet connection.
Both points you've made here suffer from oversimplification.
1. web server does not need to connect to the internet; an agent with access to the key does. rather, an agent that acquires a signed CSR, so this doesn't mean the server has to share the key, just a signed CSR.
2. server does not need to query in realtime, just once/day and it can be done in advance, not "on demand".
> All of this is clearly necessary to keep HTTPS secure (as the article described very well)
Perhaps this is just a difference of opinion, but I don't think the article makes the case that this helps at all. Consider a state-run CA that mints certificates for state purposes (and of course client browsers are forced to use the trust anchor). It simply doesn't include the stapling option in the cert, or it points to its own OCSP server.
I think it's already a notable shift that an HTTPS server must periodically connect to the internet in some way to get a renewed certificate - but with OCSP Stapling, the requirement seems to be that the server queries the CA in realtime, i.e. has a permanent internet connection.
All of this is clearly necessary to keep HTTPS secure (as the article described very well) and wouldn't be a problem if the end goal weren't to make HTTPS the only option to serve web pages - but as things are going now, together with DoH, it really feels that browsers have changed from being tools to view HTML documents to front-ends for yet another platform.