Advanced | Help | Encyclopedia
Directory

Encyclopaedia
O
Oc
Oca
Ocb
Occ
Ocd
Oce
Ocf
Ocg
Och
Oci
Ocj
Ock
Ocl
Ocm
Ocn
Oco
Ocp
Ocq
Ocr
Ocs
Oct
Ocu
Ocv
Ocw
Ocx
Ocy
Ocz

Online Certificate Status Protocol

(Redirected from OCSP)

Online Certificate Status Protocol (OCSP) is a method for determining the revocation status of an X.509 digital certificate using means other than CRLs. It is described in RFC 2560 and is on the Internet standards track.

OCSP messages are encoded in ASN.1 and usually communicated over HTTP. OCSP's request/response nature leads to OCSP servers being termed as OCSP responders.

Table of contents

Advantages over CRLs

OCSP was created to overcome certain deficiencies of CRLs. When deploying a PKI, certificate validation using OCSP may be preferred over the use of CRLs for several reasons.

  • OCSP can provide more timely information regarding the revocation status of a certificate.
  • OCSP removes the need for clients to retrieve and parse CRLs themselves, saving network traffic and client-side logic.
  • The content of CRLs can be considered sensitive information, analogous to a credit card company's "bad customer" list.
  • An OCSP responder can implement billing mechanisms to pass the cost of validation transactions to the seller, rather than buyer.
  • To a degree, OCSP supports trusted chaining of OCSP requests between responders. This allows clients to communicate with a trusted responder to query a alternate, unknown certificate authority within the same PKI.

Basic PKI implementation

  • Alice and Bob have public key certificates issued by Ivan.
  • Alice wishes to perform a transaction with Bob and sends him her public key certificate.
  • Bob, concerned that Alice's private key may have been compromised, creates an 'OCSP request' that contains a fingerprint of Alice's public key and sends it to Ivan, the Certificate authority (CA).
  • Ivan's OCSP responder looks up the revocation status of Alice's certificate (using the fingerprint Bob created as a key) in his own CA database. If Alice's private key had been compromised, this is the only trusted location at which the fact would be recorded.
  • Ivan's OCSP responder confirms that Alice's certificate is still OK, and returns a signed, successful 'OCSP response' to Bob.
  • Bob cryptographically verifies the signed response (He has Ivan's public key on-hand — Ivan is a trusted responder) and ensures that it was produced recently.
  • Bob completes the transaction with Alice.

Protocol details

An OCSP responder may return a signed response signifying that the certificate supplied in the request is 'good', 'revoked' or 'unknown', or else it may return an error code. Unfortunately, the OCSP v.1 draft is slightly ambiguous on the meaning of 'unknown'. It may mean that the subject certificate itself is unknown, or that the revocation status of the certificate is unknown.

The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.

OCSP can be resistant to replay attacks, where a signed, 'good' response is captured by an malicious intermidiary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP overcomes this by allowing a nonce to be included in the request that must be included in the corresponding response.

OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certicate, with responders validating each other's responses against the root CA using their own OCSP requests.

An OCSP responder may be queried for revocation information by delegated path validation (DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.

Vendor implementations

Vendor implementations of the OCSP protocol include:

External links

  • OpenValidation has a detailed market overview, interoperability information and development resources related to on-line validation.







Links: Addme | Keyword Research | Paid Inclusion | Femail | Software | Completive Intelligence

Add URL | About Slider | FREE Slider Toolbar - Simply Amazing
Copyright © 2000-2008 Slider.com. All rights reserved.
Content is distributed under the GNU Free Documentation License.