Online Certificate Status Protocol

OCSP
Online Certificate Status Protocol
StatusProposed Standard
Year started4 February 2002 (2002-02-04)[1]
First published11 February 2013 (2013-02-11)[1]
Authors
  • Stefan Santesson
  • Michael Myers
  • Rich Ankney
  • Ambarish Malpani
  • Slava Galperin
  • Carlisle Adams
  • Mohit Sahni
  • Himanshu Sharma
Base standards
DomainDigital certificate
Website
  • RFC 6960: OCSP
  • RFC 8954: OCSP Nonce Extension
  • RFC 9654: OCSP Nonce Extension Enhancements

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.[2] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).[3] Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Some web browsers (e.g., Firefox[4]) use OCSP to validate HTTPS certificates, while others have disabled it.[5][6] Most OCSP revocation statuses on the Internet disappear soon after certificate expiration.[7]

Certificate authorities (CAs) were previously required by the CA/Browser Forum to provide OCSP service, but this requirement was removed in August 2023, instead making CRLs required again.[8] Let's Encrypt has announced their intention to end OCSP service as soon as possible, citing privacy concerns and operational simplicity.[9]

  1. ^ a b Santesson, Stefan; Myers, Michael; Ankney, Rich; Malpani, Ambarish; Galperin, Slava; Adams, Carlisle (June 2013). "History for draft-ietf-pkix-rfc2560bis-20". Retrieved December 23, 2021.
  2. ^ A., Jesin (June 12, 2014). "How To Configure OCSP Stapling on Apache and Nginx". Community Tutorials. Digital Ocean, Inc. Retrieved March 2, 2015.
  3. ^ "OCSP Stapling". GlobalSign Support. GMO GlobalSign Inc. August 1, 2014. Retrieved March 2, 2015.
  4. ^ "CA/Revocation Checking in Firefox". wiki.mozilla.org. Retrieved 29 June 2022.
  5. ^ "Are revoked certificates detected in Safari and Chrome?". 20 September 2017. Retrieved 29 June 2022.
  6. ^ "CRLSets". Retrieved 29 June 2022.
  7. ^ Korzhitskii, Nikita; Carlsson, Niklas (2021). "Revocation Statuses on the Internet". In Hohlfeld, Oliver; Lutu, Andra; Levin, Dave (eds.). Passive and Active Measurement. PAM 2021. LNCS. Vol. 12671. pp. 175–191. arXiv:2102.04288. doi:10.1007/978-3-030-72582-2_11. ISBN 978-3-030-72582-2. ISSN 0302-9743.
  8. ^ Barreira, Inigo (September 28, 2023). "[Servercert-wg] IPR Review period for SC63: Make OCSP optional, require CRLs, and incentivize automation". lists.cabforum.org. Retrieved August 4, 2024.
  9. ^ Aas, Josh (July 23, 2024). "Intent to End OCSP Service". Let's Encrypt. Retrieved August 4, 2024.