Internet protocol used for obtaining the revocation status of an X. Since an OCSP response has less data to parse, the client-side libraries that handle it can be less complex than those certificate online handle CRLs. OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.
Alice wishes to perform a transaction with Bob and sends him her public key certificate. Bob, concerned that Alice’s private key may have been compromised, creates an ‘OCSP request’ that contains Alice’s certificate serial number and sends it to Carol. Carol’s OCSP responder reads the certificate serial number from Bob’s request. The OCSP responder uses the certificate serial number to look up the revocation status of Alice’s certificate.
The OCSP responder looks in a CA database that Carol maintains. In this scenario, Carol’s CA database is the only trusted location where a compromise to Alice’s certificate would be recorded. Carol’s OCSP responder confirms that Alice’s certificate is still OK, and returns a signed, successful ‘OCSP response’ to Bob. Bob cryptographically verifies Carol’s signed response.
Bob has stored Carol’s public key sometime before this transaction. Bob uses Carol’s public key to verify Carol’s response. Bob completes the transaction with Alice. If it cannot process the request, it may return an error code. The OCSP request format supports additional extensions.
This enables extensive customization to a particular PKI scheme. OCSP can be vulnerable to replay attacks, where a signed, ‘good’ response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other’s responses against the root CA using their own OCSP requests. OCSP does not, by itself, perform any DPV of supplied certificates.