github.com/tomwassenberg/ is a nice way of setting up reliable OCSP stapling with certbot + nginx. Finally enabled Must-Staple for grapheneos.org. The value of Must-Staple is minimal though and wouldn't have any use if Let's Encrypt supported shorter certificate lifetimes.
Conversation
Replying to
Must-Staple is a flag in the certificate. A wrongly issued certificate wouldn't have it set, so the feature doesn't help with revocation of wrongly issued certificates. Shorter certificate lifetimes would offer the same advantages without needing clients to adopt Must-Staple...
1