Online Certificate Status Protocol: Difference between revisions

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

When deploying a PKI, certificate validation using OCSP may be preferred over the use of CRLs for several reasons:

• OCSP can provide more timely information regarding the revocation status of a certificate.
• OCSP removes the need for clients to retrieve the (sometimes very large) CRLs themselves, leading to less network traffic and better bandwidth management.
• Using OCSP, clients do not need to parse CRLs themselves, saving client-side complexity.
• An OCSP responder may implement billing mechanisms to pass the cost of validation transactions to the seller, rather than buyer.
• CRLs may be seen as analogous to a credit card company's "bad customer list" -- an unnecessarily public exposure.
• To a degree, OCSP supports trusted chaining of OCSP requests between responders. This allows clients to communicate with a trusted responder to query an alternate responder, saving client-side complexity.

1. Alice and Bob have public key certificates issued by Ivan, the Certificate Authority (CA).
2. Alice wishes to perform a transaction with Bob and sends him her public key certificate.
3. Bob, concerned that Alice's private key may have been compromised, creates an 'OCSP request' that contains a fingerprint of Alice's public key and sends it to Ivan.
4. Ivan's OCSP responder looks up the revocation status of Alice's certificate (using the fingerprint Bob created) in his own CA database. If Alice's private key had been compromised, this is the only trusted location at which the fact would be recorded.
5. Ivan's OCSP responder confirms that Alice's certificate is still OK, and returns a signed, successful 'OCSP response' to Bob.
6. Bob cryptographically verifies the signed response (He has Ivan's public key on-hand -- Ivan is a trusted responder) and ensures that it was produced recently.
7. Bob completes the transaction with Alice.

An OCSP responder may return a signed response signifying that the certificate specified in the request is 'good', 'revoked' or 'unknown'. If it cannot process the request, it may return an error code.

The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.

OCSP can be resistant to replay attacks, where a signed, 'good' response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP overcomes this by allowing a nonce to be included in the request that must be included in the corresponding response.

However, the replay attack, while a possibility, is not a major threat to validation systems. This is due to the steps it takes to actually exploit this weakness. The attacker would have to be in a position to

1. capture the traffic and subsequently replay that traffic,
2. capture the status of a certificate whose status is about to change and
3. conduct a transaction requiring the status of that certificate within the time frame of the validity of the response.

Since it is not often that a revoked certificate is unrevoked (only if it is suspended is it even possible) a person would have to capture a good response and wait until the certificate was revoked then replay it.

OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other's responses against the root CA using their own OCSP requests.

An OCSP responder may be queried for revocation information by delegated path validation (DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.

Vendor implementations of the OCSP protocol include:

• Ascertia's TrustFinderOCSP www.ascertia.com
• Red Hat's Red Hat Certificate Management System
• Baltimore Technologies' KeyTools
• Bloombase Technologies' Spitfire KeyCastle
• Computer Associates' eTrust OCSPro
• CoreStreet's Validation Authority
• GemPlus GemSAFE eSigner
• Kyberpass TrustPlatform
• Mozilla's Network Security Services
• Netegrity SiteMinder (See Computer Associates)
• The OpenSSL toolkit.
• RSA Security's Keon Certificate Authority
• Sun Microsystems' Sun ONE Identity Server
• Tumbleweed Communications' Valicert Validation Authority
• VeriSign's OCSP Responder Service
• Safelayer's KeyOne VA
• The OpenCA OCSP Responder
• strongSwan's OCSP Client for IPsec

• OpenValidation has a detailed market overview, interoperability information and other development resources related to on-line validation, the site is just outdated (no linkcheck) and apparently commercially driven.
• PKI and Web Service Security standars
• Public Key Infraestructure (Vendor implementation)