Search results
Results from the WOW.Com Content Network
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. [2] It is described in RFC 6960 and is on the Internet standards track.
Browsers and other relying parties might use CRLs, or might use alternate certificate revocation technologies (such as OCSP) [4] [5] or CRLSets (a dataset derived from CRLs [6]) to check certificate revocation status. Note that OCSP is falling out of favor due to privacy and performance concerns. [7] [8] [9] Subscribers and other parties can ...
OCSP stapling is designed to reduce the cost of an OCSP validation, both for the client and the OCSP responder, especially for large sites serving many simultaneous users. However, OCSP stapling supports only one OCSP response at a time, which is insufficient for certificate chains with intermediate CA certs. [26] [27]
OCSP suffers from scalability issues. It relies on the client having network access at the time of checking the certificate's revocation status; further, the OCSP responder must be accessible and produce usable responses, or else the check will fail and the client must choose between failing-soft and failing-hard.
Without revocation, an attacker would be able to exploit such a compromised or misissued certificate until expiry. [31] Hence, revocation is an important part of a public key infrastructure. [32] Revocation is performed by the issuing CA, which produces a cryptographically authenticated statement of revocation. [33]
X.509 and RFC 5280 also include standards for certificate revocation list (CRL) implementations. Another IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP). Firefox 3.0 enabled OCSP checking by default, as did versions of Windows from at least Vista and later. [9]
Their use doesn't involve the problems of trusting third parties that may improperly sign certificates. Self-signed certificate transactions usually present a far smaller attack surface by eliminating both the complex certificate chain validation, [1] and certificate revocation checks like CRL and OCSP.
The group's primary focus [15] was promoting an understanding of the importance of certificate revocation checking and the benefits of OCSP stapling. The protocol is intended to ensure that web users are aware when they visit a web site with a revoked or expired SSL certificate. [16]