OCSP (Online Certificate Status Protocol) - an explanation

OCSP is specified in RFC 2560, and provides applications with the means to query for the validity status of an identified certificate in (almost) real-time. When utilising OCSP, the OCSP client sends the responder a request message containing information on the certificate for which validation information is required. While the OCSP client waits for the response, the certificate is suspended. When a response is received the OCSP client’s action is based on the response as the client either accepts or rejects the certificate.Unfortunately, most applications today do not support automated checking of CRL’s even when they are available, and this means that CRL checking must be added to applications that require valid certificates. Different methods of validation between CA’s is yet another challenge of deploying large-scale PKI, though this can be alleviated by using third parties such as ValiCert. ValiCert’s Validator Suite has the ability to check the status of any X.509 certificate using any of today’s popular validation mechanisms, including CRL’s, OCSP, CRL Distribution Points (CRLDP) and ValiCert’s own Certificate Revocation Tree (CRT) solution. It is more than a little disturbing to realise that in the four years since we first published this report, very little has changed in this area in terms of making CRL checking as automated and seamless as possible for the end user.

The products referenced in this site are provided by parties other than SnmpTools.net. SnmpTools.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.

Let us know how we're doing - send us your comments by E-mail. Copyright ©1995-2007 SnmpTools.net. All rights reserved.