> I think a valid point of criticism is that this increases the centralization of the web.
this = ??? OCSP stapling?
I fail to see how it increases centralization.
> I think it's already a notable shift that an HTTPS server must periodically connect to the internet in some way to get a renewed certificate - but with OCSP Stapling, the requirement seems to be that the server queries the CA in realtime, i.e. has a permanent internet connection.
Both points you've made here suffer from oversimplification.
1. web server does not need to connect to the internet; an agent with access to the key does. rather, an agent that acquires a signed CSR, so this doesn't mean the server has to share the key, just a signed CSR.
2. server does not need to query in realtime, just once/day and it can be done in advance, not "on demand".
> All of this is clearly necessary to keep HTTPS secure (as the article described very well)
Perhaps this is just a difference of opinion, but I don't think the article makes the case that this helps at all. Consider a state-run CA that mints certificates for state purposes (and of course client browsers are forced to use the trust anchor). It simply doesn't include the stapling option in the cert, or it points to its own OCSP server.
this = ??? OCSP stapling?
I fail to see how it increases centralization.
> I think it's already a notable shift that an HTTPS server must periodically connect to the internet in some way to get a renewed certificate - but with OCSP Stapling, the requirement seems to be that the server queries the CA in realtime, i.e. has a permanent internet connection.
Both points you've made here suffer from oversimplification.
1. web server does not need to connect to the internet; an agent with access to the key does. rather, an agent that acquires a signed CSR, so this doesn't mean the server has to share the key, just a signed CSR.
2. server does not need to query in realtime, just once/day and it can be done in advance, not "on demand".
> All of this is clearly necessary to keep HTTPS secure (as the article described very well)
Perhaps this is just a difference of opinion, but I don't think the article makes the case that this helps at all. Consider a state-run CA that mints certificates for state purposes (and of course client browsers are forced to use the trust anchor). It simply doesn't include the stapling option in the cert, or it points to its own OCSP server.