What is OCSP (Online Certificate Status Protocol)?

ssl certificate validation

What Is Information About Certificate Status Used For?

When a server uses public key infrastructure to determine access, it needs a way of identifying valid certificates. Digital certificates are issued by a certification authority. They have expiration dates so become unusable after a certain point, and sometimes people try to fake them.

There are two ways currently in use to validate digital certificates. The older way is called Certificate Revocation List (CRL). The newer way is called Online Certificate Status Protocol (OCSP).

How Does CRL Work?

CRL is a list that matches subscribers with their digital certificate status. Using this list, it is possible to tell:

  • when a certificate was issued
  • which entity (certificate authority or CA) issued it
  • if a certificate was revoked
  • the reason for the revocation

Based on the information provided by the CRL, the server allows access or denies access to each user. The problem is the maintenance of the list. If the list hasn’t been updated (and it requires frequent update downloads to stay current), the server may allow access when it should have been denied.

Why Might a Certificate Be Revoked?

There are a few reasons why a certificate might be revoked. For one thing, the key or the certificate authority could be compromised. The entity that obtained the certificate might have ceased to exist, or the certificate might have been superseded by a newer certificate.

How Does OCSP Work?

OCSP is designed to overcome the limitation inherent in the CRL design. Rather than an endless series of downloads, OCSP is made so that each time a user requests server access through their browser, OCSP initiates a request for the up-to-date certificate status information. The response may be one of three pronouncements:

  • current (meaning the digital certificate is valid and up-to-date)
  • expired (meaning the digital certificate is past it’s final date)
  • unknown
  • A grace period is allowed for expired certificates to cover them while they renew.

There are some potential problems with OCSP. Although they contain less information than CRLs, it is still possible that a large spate of requests could overtax the network, but this depends on whether the client caches responses. Additionally, the spec for OCSP does not require encryption, so the limited information that it does convey could be intercepted.

Support for OCSP

OCSP can’t work unless browsers support it. Among the major browers:

  • Mozilla Firefox supports OCSP by default beginning in Firefox 3.
  • Safari supports OCSP checking but only when it is activated manually through Keychain preferences.
  • Internet Explorer supports OCSP on Windows Vista from version 7
  • Opera supports OCSP beginning with version 8.0
  • Google Chrome also supports OCSP