Scribd
Upload
96 views3 pages

OCSP

Online Certificate Status Protocol (OCSP) allows a client to query a CA for the revocation status of a single certificate by sending a request to an OCSP responder. The responder will return one of three statuses - good, revoked, or unknown. It is more efficient than Certificate Revocation Lists (CRLs) which require downloading a full list, but can overload responders for high-traffic sites and lacks privacy as the CA can observe users' behaviors. OCSP is also vulnerable to man-in-the-middle attacks if the responder's private key is compromised.

Uploaded by

gayathrisan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
96 views3 pages

OCSP

Online Certificate Status Protocol (OCSP) allows a client to query a CA for the revocation status of a single certificate by sending a request to an OCSP responder. The responder will return one of three statuses - good, revoked, or unknown. It is more efficient than Certificate Revocation Lists (CRLs) which require downloading a full list, but can overload responders for high-traffic sites and lacks privacy as the CA can observe users' behaviors. OCSP is also vulnerable to man-in-the-middle attacks if the responder's private key is compromised.

Uploaded by

gayathrisan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

OCSP

Online Certificate Status Protocol (OCSP) is a web service protocol that allows a client to query
the CA for the revocation status of a single certificate. The CA runs a server called OCSP Responder so
that the client can query the server by locating the URL in a certificate, which reduces the overhead of
CRLs.

How it works

An OCSP client sends a status request to an OCSP responder and waits to accept the certificates
until the responder provides a response.

OCSP Request

An OCSP request contains the following information:

Protocol version

Service Request

Target certificate identifier

Other optional extensions.

Upon receiving the request, the OCSP responder checks if the predefined conditions are met.
These conditions are:

The message should be well-formed.

The responder should be configured to provide the requested service.

The request should contain the information needed by the responder.

It returns a definitive response if all of the above conditions are met, and produces an error message
otherwise.

OCSP Response

An OCSP response can be of various types, but there is only one kind of OCSP response is
supported by all OCSP servers and clients. A basic OCSP response contains the following information:

The version of the response syntax

Identifier of the responder

A time when the response was generated

Responses for each of the certificates in a request

Optional extensions

Signature algorithm OID

Signature computed across a hash of the response


There are 3 certificate status values that can be returned:

Good

A certificate status of “good” shows that the certificate is valid for use. At a minimum, this
shows that a certificate with the corresponding serial number and validity period hasn’t been revoked.

Revoked

The “revoked” state indicates that the certificate has been temporarily or permanently revoked.
If the CA has no record of ever having issued a certificate with the certificate serial number in the
request, then this status may also be returned.

Unknown

The “unknown” state indicates that the responder doesn’t know about the certificate being
requested, usually because the request indicates an unrecognized issuer that is not served by this
responder.

The OCSP response is always signed by the CA to ensure no alteration occurs while the request
is in transit.

Disadvantages

Since the request is sent for each certificate every single time, it can overload the OCSP
responder for high-traffic websites.

Although the above can be solved by using OCSP Stapling, it is not yet supported by all browsers.

If the private key for the server was compromised, an attacker can pose as the server using a
Man in the Middle attack.

S.No CRL OCSP


1 A Certification Revocation List Online Certificate Status
(CRL) is a list of digital Protocol (OCSP) is a web
certificates that have been service protocol that allows a
revoked by the issuing client to query the CA for the
Certificate Authority (CA) before revocation status of a single
their scheduled expiration date certificate.
and should no longer be
trusted.
2 A CRL is a list of revoked An OCSP acts as a
certificates that is downloaded request/response protocol.
from the Certificate Authority OCSP client sends a status
(CA). request to an OCSP responder
and the responder provides a
response.

3 A CRL is distributed using a CDP Status of a certificate is fetched


point which can be an HTTP link by making a request to an OCSP
or an LDAP server. Responder.
4 clients depend on the OCSP
response, the OCSP responders
need to provide responses with
low latency and high availability
5 CRL list is big, which can cause a The load on the client and
considerable effect on the network is considerably lower
network and client than with CRLs.
performance.
6 CRL checking can be OCSP request is sent for each
significantly more efficient certificate every single time, it
because the CRL can be can overload the OCSP
downloaded once per day responder for high-traffic
instead of needing to check websites.
OCSP for every connection.
7 CRL is just a list If the private key for the server
was compromised, an attacker
can pose as the server using a
Man in Middle attack.
8 Monitoring users are not the CAs can observe users’
possible in CRL. browsing behaviours by
monitoring incoming OCSP
requests from the clients.
9 Soft failure frequently happens
in OCSP

You might also like