Home |  Forum |  Submit Software |  Submit Book |  Link to Us |  Contact us  |   Sitemap

  Topics
Software
Books
Network Basics
Glossaries
SNMP
Networking
Links
  Forums
SnmpTools.net forum
  Search for Software

  Other
Submit Software
Submit Book
Link to Us
Contact Us

 


  Visit ActiveSocket Web Site
  Download ActiveSocket Network Communication Toolkit

OCSP (Online Certificate Status Protocol) - an explanation

OCSP is specified in RFC 2560, and provides applications with the means to query for the validity status of an identified certificate in (almost) real-time. When utilising OCSP, the OCSP client sends the responder a request message containing information on the certificate for which validation information is required. While the OCSP client waits for the response, the certificate is suspended. When a response is received the OCSP client’s action is based on the response as the client either accepts or rejects the certificate.Unfortunately, most applications today do not support automated checking of CRL’s even when they are available, and this means that CRL checking must be added to applications that require valid certificates. Different methods of validation between CA’s is yet another challenge of deploying large-scale PKI, though this can be alleviated by using third parties such as ValiCert. ValiCert’s Validator Suite has the ability to check the status of any X.509 certificate using any of today’s popular validation mechanisms, including CRL’s, OCSP, CRL Distribution Points (CRLDP) and ValiCert’s own Certificate Revocation Tree (CRT) solution. It is more than a little disturbing to realise that in the four years since we first published this report, very little has changed in this area in terms of making CRL checking as automated and seamless as possible for the end user.