Online Certificate Status Protocol

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.^[1] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).^[2] Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Comparison to CRLs

Since an OCSP response contains less information than a typical certificate revocation list (CRL), it puts less burden on network and client resources.^[3]
Since an OCSP response has less data to parse, the client-side libraries that handle it can be less complex than those that handle CRLs.^[4]
OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.^[1]

Basic PKI implementation

Alice and Bob have public key certificates issued by Ivan, the certificate authority (CA).
Alice wishes to perform a transaction with Bob and sends him her public key certificate.
Bob, concerned that Alice's private key may have been compromised, creates an 'OCSP request' that contains Alice's certificate serial number and sends it to Ivan.
Ivan's OCSP responder reads the certificate serial number from Bob's request. The OCSP responder uses the certificate serial number to look up the revocation status of Alice's certificate. The OCSP responder looks in a CA database that Ivan maintains. In this scenario, Ivan's CA database is the only trusted location where a compromise to Alice's certificate would be recorded.
Ivan's OCSP responder confirms that Alice's certificate is still OK, and returns a signed, successful 'OCSP response' to Bob.
Bob cryptographically verifies Ivan's signed response. Bob has stored Ivan's public key sometime before this transaction. Bob uses Ivan's public key to verify Ivan's response.
Bob completes the transaction with Alice.

Protocol details

An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.

OCSP can be vulnerable to replay attacks,^[5] where a signed, 'good' response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP allows a nonce to be included in the request that must be included in the corresponding response, and the replay would only be possible during the OCSP response's validity period, not for the entire validity period of the original certificate. Nevertheless, since most OCSP responders and clients do not support or use the nonce extension and certificate authorities (CAs) issue responses with a validity period of multiple days, the replay attack is a major threat to validation systems.

OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other's responses against the root CA using their own OCSP requests.

An OCSP responder may be queried for revocation information by delegated path validation (DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.

The key that signs a response need not be the same key that signed the certificate. The certificate's issuer may delegate another authority to be the OCSP responder. In this case, the responder's certificate (the one that is used to sign the response) must be issued by the issuer of the certificate in question, and must include a certain extension that marks it as an OCSP signing authority (more precisely, an extended key usage extension with the OID {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) keyPurpose(3) ocspSigning(9)})

Privacy concerns

OCSP checking creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software vendor) to confirm certificate validity. OCSP stapling is a way to verify validity without disclosing browsing behavior to the CA.^[1]

Criticisms

OCSP-based revocation is not an effective technique to mitigate against the compromise of an HTTPS server's private key. An attacker who has compromised a server's private key typically needs to be in a Man-in-the-middle position on the network to abuse that private key and impersonate a server. An attacker in such a position is also typically in a position to interfere with the client's OCSP queries. Because most clients will silently ignore OCSP if the query times out, OCSP is not a reliable means of mitigating HTTPS server key compromise.^[6]

The MustStaple TLS extension in a certificate can require that the certificate be verified by a stapled OCSP response, mitigating this problem.^[3] OCSP also remains a valid defense against situations where the attacker is not a "man-in-the-middle" (code-signing or certificates issued in error).

Browser support

There is wide support for OCSP amongst most major browsers:

Internet Explorer is built on the CryptoAPI of Windows OS and thus starting with version 7 on Windows Vista (not XP^[7]) supports OCSP checking.^[8]
All versions of Mozilla Firefox support OCSP checking. Firefox 3 enables OCSP checking by default.^[9]
Safari on Mac OS X supports OCSP checking. It is enabled by default as of Mac OS X 10.7 (Lion). Prior to that, it has to be manually activated in Keychain preferences.^[10]
Versions of Opera from 8.0^[11]^[12] to the current version support OCSP checking.

However, Google Chrome is an outlier. Google disabled OCSP checks by default in 2012, citing latency and privacy issues^[13] and instead uses their own update mechanism to send revoked certificates to the browser.^[14]

Open source implementations

Some open source implementations are:

XiPKI,^[15] CA and OCSP responder. With SHA3 support, OSGi-based (Java).

References

1 2 3 A., Jesin (June 12, 2014). "How To Configure OCSP Stapling on Apache and Nginx". Community Tutorials. Digital Ocean, Inc. Retrieved March 2, 2015.
↑ "OCSP Stapling". GlobalSign Support. GMO GlobalSign Inc. August 1, 2014. Retrieved March 2, 2015.
1 2 Gibson, Steve. "Security Certificate Revocation Awareness: The case for "OCSP Must-Staple"". Gibson Research Corporation. Retrieved March 2, 2015.
↑ Keeler, David (July 29, 2013). "OCSP Stapling in Firefox". Mozilla Security Blog. Mozilla Foundation. Retrieved March 2, 2015.
↑ RFC 6960, section 5, Security Considerations
↑ "No, Don't Enable Revocation Checking". 19 April 2014. Retrieved 24 April 2014.
↑ "Windows XP Certificate Status and Revocation Checking". Microsoft. Retrieved 9 May 2016.
↑ "What's New in Certificate Revocation in Windows Vista and Windows Server 2008". Microsoft. Retrieved 9 May 2016.
↑ "Mozilla Bug 110161 - Enable OCSP by Default". Mozilla. 1 October 2007. Retrieved 18 July 2010.
↑ Wisniewski, Chester (26 March 2011). "Apple users left to defend themselves against certificate attacks". Sophos. Retrieved 26 March 2011.
↑ Pettersen, Yngve Nysæter (November 9, 2006). "Introducing Extended Validation Certificates". Opera Software. Retrieved 8 January 2010.
↑ Pettersen, Yngve Nysæter (3 July 2008). "Rootstore newsletter". Opera Software. Retrieved 8 January 2010.
↑ Langley, Adam (5 Feb 2012). "Revocation checking and Chrome's CRL". Archived from the original on 2012-02-12. Retrieved 2015-01-30.
↑ "Chrome does certificate revocation better", April 21, 2014, Larry Seltzer, ZDNet
↑ "xipki/xipki · GitHub". Github.com. Retrieved 2016-10-17.

External links

TLS and SSL

Protocols and technologies

Transport Layer Security / Secure Sockets Layer (TLS/SSL)
Datagram Transport Layer Security (DTLS)
DNS Certification Authority Authorization (CAA)
DNS-based Authentication of Named Entities (DANE)
HTTPS
HTTP Public Key Pinning (HPKP)
HTTP Strict Transport Security (HSTS)
OCSP stapling
Perfect forward secrecy
Server Name Indication (SNI)
STARTTLS
Application-Layer Protocol Negotiation (ALPN)

Public-key infrastructure

Automated Certificate Management Environment (ACME)
Certificate authority (CA)
CA/Browser Forum
Certificate policy
Certificate revocation list (CRL)
Domain-validated certificate (DV)
Extended Validation Certificate (EV)
Online Certificate Status Protocol (OCSP)
Public key certificate
Public-key cryptography
Public key infrastructure (PKI)
Root certificate
Self-signed certificate

See also

Domain Name System Security Extensions (DNSSEC)
Internet Protocol Security (IPsec)
Secure Shell (SSH)

History

Implementations

Notaries

Vulnerabilities

Theory	Man-in-the-middle attack Padding oracle attack Lucky Thirteen attack

Cipher	Bar mitzvah attack

Protocol	BEAST BREACH CRIME DROWN Logjam POODLE (in regards to SSL 3.0)

Implementation	Certificate authority compromise Random number generator attacks FREAK goto fail Heartbleed POODLE (in regards to TLS 1.0)

Web browsers

Features	Ad filtering Augmented browsing Bookmarks Bookmarklet Live bookmark Smart Bookmarks Browser extension Browser security Browser synchronizer comparison Cookies Download manager Favicon Incremental search Plug-in Privacy mode Tabs Universal Edit Button

Web standards	Acid tests Cascading Style Sheets HTML HTML5 JavaScript MathML OCSP SVG WebGL XHTML

Related topics	BrowserChoice.eu CRL HTTP HTTPS iLoo Internet suite Man-in-the-browser Mobile Web Offline reader PAC Pwn2Own Rich Internet application Site-specific browser SPDY SSL/TLS WebSocket Widget World Wide Web WPAD XML

Desktop

Blink-based	Chromium Brave Chrome Dragon Opera Sleipnir Slimjet SRWare Iron UC Browser Vivaldi Yandex.Browser Sputnik

WebKit-based	Arora Avant Dooble Epic Flock Fluid iCab Konqueror Lunascape Maxthon Midori OmniWeb Origyn Web Browser Otter Browser QtWeb QupZilla rekonq Safari Shiira SlimBoat surf Torch Uzbl Web WebPositive xombrero

Trident-based	AOL Explorer Avant Deepnet Explorer GreenBrowser Internet Explorer Lunascape Maxthon MediaBrowser MenuBox NeoPlanet NetCaptor SlimBrowser SpaceTime UltraBrowser WebbIE ZAC Browser

Gecko-based	AT&T Pogo Avant Camino Firefox Conkeror GNU IceCat IceDragon Swiftfox Swiftweasel TenFourFox Timberwolf Tor Browser Waterfox xB Browser Galeon Ghostzilla K-Meleon Kazehakase Kirix Strata Lotus Symphony Lunascape Mozilla Beonex Communicator Classilla Netscape SeaMonkey

Text-based	ELinks Emacs/W3 Line Mode Browser Links Lynx w3m

Other	abaco Amaya Arachne Arena Charon Dillo eww Gazelle HotJava IBM Home Page Reader IBrowse KidZui Microsoft Edge Mosaic Mothra NetPositive NetSurf Pale Moon

Mobile

Blink-based	Android Browser Chromium Brave Chrome Opera Mobile Silk

WebKit-based	BOLT Dolphin Browser Firefox for iOS Maxthon Mercury Browser Nokia Browser for Symbian Rockmelt Safari Steel

Trident-based	Maxthon

Gecko-based	Firefox for Android MicroB Minimo

Presto-based	Opera Mini

Other	Blazer CM Browser Deepfish ibisBrowser Internet Explorer Mobile Iris Browser Konqueror Embedded Microsoft Edge NetFront Nokia Xpress Skweezer Skyfire Teashark ThunderHawk UC Browser Vision WinWAP Smooz(ja)

Television and video game console

WebKit-based	Google TV Nintendo 3DS Internet Browser Nintendo DS & DSi Browser NetFront Steam Overlay Wii U Internet Browser

Gecko-based	Kylo

Presto-based	Internet Channel

Other	MSN TV

Software no longer in development shown in italics

Category
Commons
Internet portal
Software portal

This article is issued from Wikipedia - version of the 10/17/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.