Editing Online Certificate Status Protocol

{{short description|Communications protocol}}
{{Infobox networking protocol
|abbreviation = OCSP
|title = Online Certificate Status Protocol
|date = {{Start date|2002|02|04|df=y}}<ref name="history">{{Cite web|title=History for draft-ietf-pkix-rfc2560bis-20|date=June 2013 |url=https://datatracker.ietf.org/doc/rfc6960/history/|access-date=December 23, 2021 |last1=Santesson |first1=Stefan |last2=Myers |first2=Michael |last3=Ankney |first3=Rich |last4=Malpani |first4=Ambarish |last5=Galperin |first5=Slava |last6=Adams |first6=Carlisle }}</ref>
|developer = {{Plainlist|
* Stefan Santesson
* Michael Myers
* Rich Ankney
* Ambarish Malpani
* Slava Galperin
* [[Carlisle Adams]]
* Mohit Sahni
* Himanshu Sharma
}}
|rfcs = {{Plainlist|
* {{Sum RFC|6960|title=no|ref=yes}}
* {{Sum RFC|9654|title=no|ref=yes}}
}}
}}

The '''Online Certificate Status Protocol''' ('''OCSP''') is an [[Internet]] [[Communication protocol|protocol]] used for obtaining the [[revocation status]] of an [[X.509]] [[digital certificate]].<ref name="Digital-Ocean-Tutorial-OCSP-Stapling">{{cite web |url=https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx |title=How To Configure OCSP Stapling on Apache and Nginx |publisher=Digital Ocean, Inc. |work=Community Tutorials |date=June 12, 2014 |access-date=March 2, 2015 |author=A., Jesin}}</ref> It was created as an alternative to [[certificate revocation list]]s (CRL), specifically addressing certain problems associated with using CRLs in a [[public key infrastructure]] (PKI).<ref name="GlobalSign-OCSP-Stapling">{{cite web |url=https://support.globalsign.com/customer/portal/articles/1618853-ocsp-stapling |title=OCSP Stapling |publisher=GMO GlobalSign Inc. |work=GlobalSign Support |date=August 1, 2014 |access-date=March 2, 2015}}</ref> Messages communicated via OCSP are encoded in [[ASN.1]] and are usually communicated over [[HTTP]]. The "request/response" nature of these messages leads to OCSP [[Server (computing)|servers]] being termed ''OCSP responders''.

Some [[web browser]]s (e.g., [[Firefox]]<ref>{{cite web|url=https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox#OCSP|title=CA/Revocation Checking in Firefox|website=wiki.mozilla.org|access-date=29 June 2022}}</ref>) use OCSP to validate [[HTTPS]] certificates, while others have disabled it.<ref>{{cite web|url=https://community.letsencrypt.org/t/are-revoked-certificates-detected-in-safari-and-chrome/42677|title=Are revoked certificates detected in Safari and Chrome?|date=20 September 2017 |access-date=29 June 2022}}</ref><ref>{{cite web|url=https://www.chromium.org/Home/chromium-security/crlsets/|title=CRLSets|access-date=29 June 2022}}</ref> Most OCSP revocation statuses on the Internet disappear soon after certificate expiration.<ref>{{cite conference |last1=Korzhitskii |first1=Nikita |last2=Carlsson |first2=Niklas |date=2021 |title=Revocation Statuses on the Internet |editor-last1=Hohlfeld |editor-first1=Oliver |editor-last2=Lutu |editor-first2=Andra |editor-last3=Levin |editor-first3=Dave |conference=PAM 2021 |book-title=Passive and Active Measurement |series=[[Lecture Notes in Computer Science|LNCS]] |volume=12671 |pages=175–191 |arxiv=2102.04288 |doi=10.1007/978-3-030-72582-2_11 |isbn=978-3-030-72582-2 |issn=0302-9743}}</ref>

[[Certificate authority|Certificate authorities]] (CAs) were previously required by the [[CA/Browser Forum]] to provide OCSP service, but this requirement was removed in August 2023, instead making CRLs required again.<ref>{{cite web |last=Barreira |first=Inigo |title=[Servercert-wg] IPR Review period for SC63: Make OCSP optional, require CRLs, and incentivize automation |url=https://lists.cabforum.org/pipermail/servercert-wg/2023-September/003998.html |website=lists.cabforum.org |date=September 28, 2023 |access-date=August 4, 2024}}</ref> [[Let's Encrypt]] has announced that OCSP services will be shut down on August 6, 2025.<ref>{{Cite web |title=Ending OCSP Support in 2025 |url=https://letsencrypt.org/2024/12/05/ending-ocsp/ |access-date=2025-01-21 |website=letsencrypt.org |date=5 December 2024 |language=en-US}}</ref>

== Comparison to CRLs ==
* Since an OCSP response contains less data than a typical [[certificate revocation list]] (CRL), it puts less burden on network and client resources.<ref name="Gibson-OCSP-Must-Staple">{{cite web | url=https://www.grc.com/revocation/ocsp-must-staple.htm | title=Security Certificate Revocation Awareness: The case for "OCSP Must-Staple" | publisher=Gibson Research Corporation | access-date=March 2, 2015 | author=Gibson, Steve}}</ref>
* Since an OCSP response has less data to [[Parsing|parse]], the client-side [[Library (computing)|libraries]] that handle it can be less complex than those that handle CRLs.<ref name="Mozilla-OCSP-Stapling-Firefox">{{cite web | url=https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | title=OCSP Stapling in Firefox | publisher=Mozilla Foundation | work=Mozilla Security Blog | date=July 29, 2013 | access-date=March 2, 2015 | author=Keeler, David}}</ref>
* OCSP discloses to the responder that a particular network host used a particular certificate at a particular time.  OCSP does not mandate encryption, so other parties may intercept this information.<ref name="Digital-Ocean-Tutorial-OCSP-Stapling" />

== Basic PKI implementation ==
# [[Alice and Bob]] have [[public key certificate]]s issued by Carol, the [[certificate authority]] (CA).
# Alice wishes to perform a transaction with Bob and sends him her certificate.
# Bob, concerned that Alice's [[private key]] may have been compromised, creates an 'OCSP request' that contains Alice's certificate serial number and sends it to Carol.
# Carol's OCSP responder reads the certificate serial number from Bob's request. The OCSP responder uses the certificate serial number to look up the [[Certificate revocation|revocation]] status of Alice's certificate. The OCSP responder looks in a CA database that Carol maintains. In this scenario, Carol's CA database is the only trusted location where a compromise to Alice's certificate would be recorded.
# Carol's OCSP responder confirms that Alice's certificate is still OK, and returns a [[Digital signature|signed]], successful 'OCSP response' to Bob.
# Bob cryptographically verifies Carol's signed response.  Bob has stored Carol's public key some time before this transaction. Bob uses Carol's public key to verify Carol's response.
# Bob completes the transaction with Alice.

== Protocol details ==
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.

OCSP can be vulnerable to [[replay attack]]s,{{Ref RFC|6960|rsection=5}} where a signed, 'good' response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP allows a [[cryptographic nonce|nonce]] to be included in the request that may be included in the corresponding response. Because of high load, most OCSP responders do not use the nonce extension to create a different response for each request, instead using presigned responses with a validity period of multiple days. Thus, the replay attack is a major threat to validation systems.

OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other's responses against the root CA using their own OCSP requests.

An OCSP responder may be queried for revocation information by [[Delegated Path Validation|delegated path validation]] (DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.

The key that signs a response need not be the same key that signed the certificate. The certificate's issuer may delegate another authority to be the OCSP responder. In this case, the responder's certificate (the one that is used to sign the response) must be issued by the issuer of the certificate in question, and must include a certain extension that marks it as an OCSP signing authority (more precisely, an extended key usage extension with the [[object identifier|OID]] {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) keyPurpose(3) ocspSigning(9)})

== Privacy concerns ==
OCSP checking creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software vendor) to confirm certificate validity. This third party could thus track what websites the client is accessing. [[OCSP stapling]] is a way to verify validity without disclosing browsing behavior to the CA.<ref name="Digital-Ocean-Tutorial-OCSP-Stapling" />

== Criticisms ==
OCSP-based revocation is not an effective technique to mitigate against the compromise of an HTTPS server's private key. An attacker who has compromised a server's private key typically needs to be in a [[man-in-the-middle]] position on the network to abuse that private key and impersonate a server. An attacker in such a position is also typically in a position to interfere with the client's OCSP queries. Because most clients will silently ignore OCSP if the query times out, OCSP is not a reliable means of mitigating HTTPS server key compromise.<ref>{{cite web|url=https://www.imperialviolet.org/2014/04/19/revchecking.html|title=No, Don't Enable Revocation Checking|date=19 April 2014|access-date=24 April 2014}}</ref>

The MustStaple TLS extension in a certificate can require that the certificate be verified by a [[OCSP stapling|stapled OCSP]] response, mitigating this problem.<ref name="Gibson-OCSP-Must-Staple" /> OCSP also remains a valid defense against situations where the attacker is not a "man-in-the-middle" (code-signing or certificates issued in error).

The OCSP protocol assumes the requester has network access to connect to an appropriate OCSP responder. Some requesters may not be able to connect because their local network prohibits direct Internet access (a common practice for internal nodes in a data center). Forcing internal servers to connect to the Internet in order to use OCSP contributes to the [[de-perimeterisation]] trend. The [[OCSP stapling]] protocol is an alternative that allows servers to cache OCSP responses, which removes the need for the requestor to directly contact the OCSP responder.

== Browser support ==
[[File:Firefox 89 AboutCertificate authority info screenshot.png|thumb|OCSP information on Firefox 89]]
There is wide support for OCSP amongst most major browsers:
* [[Internet Explorer]] is built on the [[Microsoft CryptoAPI|CryptoAPI]] of [[Microsoft Windows|Windows]] and thus starting with [[Internet Explorer 7|version 7]] on [[Windows Vista]] (not [[Windows XP|XP]]<ref>{{cite web|url=http://social.technet.microsoft.com/wiki/contents/articles/4954.windows-xp-certificate-status-and-revocation-checking.aspx#Certificate_Revocation_Process/|title=Windows XP Certificate Status and Revocation Checking|publisher=[[Microsoft]]|access-date=9 May 2016}}</ref>) supports OCSP checking.<ref>{{cite web|url=https://technet.microsoft.com/en-us/library/ee619736(v=ws.10).aspx/|title=What's New in Certificate Revocation in Windows Vista and Windows Server 2008|date=3 July 2013 |publisher=[[Microsoft]]|access-date=9 May 2016}}</ref>
* All versions of [[Mozilla Firefox]] support OCSP checking. [[Mozilla Firefox 3|Firefox 3]] enables OCSP checking by default.<ref>{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=110161|title=Mozilla Bug 110161 – Enable OCSP by Default|publisher=[[Mozilla]]|date=1 October 2007|access-date=18 July 2010}}</ref>
* [[Safari (web browser)|Safari]] on macOS supports OCSP checking. It is enabled by default as of Mac OS X 10.7 (Lion). Prior to that, it has to be manually activated in Keychain preferences.<ref name="Sophos">{{cite web|url=http://nakedsecurity.sophos.com/2011/03/26/apple-users-left-to-defend-themselves-against-certificate-attacks/|title=Apple users left to defend themselves against certificate attacks|last=Wisniewski|first=Chester|publisher=[[Sophos]]|date=26 March 2011|access-date=26 March 2011}}</ref>
* Versions of [[Opera (web browser)|Opera]] from 8.0<ref>{{cite web|url=http://labs.opera.com/news/2006/11/09/|title=Introducing Extended Validation Certificates|last=Pettersen|first=Yngve Nysæter|date=November 9, 2006|publisher=[[Opera Software]]|access-date=8 January 2010|url-status=dead|archive-url=https://web.archive.org/web/20100210031759/http://labs.opera.com/news/2006/11/09/|archive-date=10 February 2010}}</ref><ref>{{cite web|url=http://my.opera.com/rootstore/blog/2008/07/03/rootstore-newsletter|title=Rootstore newsletter|last=Pettersen|first=Yngve Nysæter|date=3 July 2008|publisher=[[Opera Software]]|access-date=8 January 2010}}</ref> to the current version support OCSP checking.
However, [[Google Chrome]] is an outlier. Google disabled OCSP checks by default in 2012, citing latency and privacy issues<ref>{{cite web| url=https://www.imperialviolet.org/2012/02/05/crlsets.html|title=Revocation checking and Chrome's CRL|date=5 Feb 2012|access-date=2015-01-30|archive-url=https://web.archive.org/web/20120212014932/http://www.imperialviolet.org/|url-status=live|archive-date=2012-02-12|author=Langley, Adam}}</ref> and instead uses their own update mechanism to send revoked certificates to the browser.<ref>[https://www.zdnet.com/article/chrome-does-certificate-revocation-better/ "Chrome does certificate revocation better"], April 21, 2014, Larry Seltzer, ZDNet</ref>

== Implementations ==

Several [[Open-source license|open source]] and [[proprietary software|proprietary]] OCSP implementations exist, including fully featured [[server (computing)|server]]s and [[library (software)|libraries]] for building custom applications.  OCSP [[client (computing)|client]] support is built into many [[operating systems]], [[web browsers]], and other [[Computer network|network]] [[software]] due to the popularity of [[HTTPS]] and the [[World Wide Web]].

=== Server ===

==== Open source ====

* Boulder,<ref>{{cite web|url=https://github.com/letsencrypt/boulder|title=Boulder – an ACME CA|website=[[GitHub]]|date=16 March 2018|access-date=17 March 2018}}</ref> CA and OCSP responder developed and used by [[Let's Encrypt]] ([[Go (programming language)|Go]])
* DogTag,<ref>{{cite web|url=https://www.dogtagpki.org|title=Dogtag Certificate System|access-date=12 Aug 2019}}</ref>  Open source certificate authority CA, CRL and OCSP responder.
* [[EJBCA]],<ref>{{cite web|url=https://www.ejbca.org/|title=EJBCA – Open Source PKI Certificate Authority|publisher=PrimeKey|date=2 February 2018|access-date=17 March 2018}}</ref> CA and OCSP responder ([[Java (programming language)|Java]])
* XiPKI,<ref>{{cite web|url=https://github.com/xipki/xipki|title=XiPKI|website=GitHub|date=13 March 2018|access-date=17 March 2018}}</ref> CA and OCSP responder. With support of RFC 6960 and SHA3 ([[Java (programming language)|Java]])
* OpenCA OCSP Responder <ref>{{cite web|url=https://www.openca.org/projects/ocspd/|title=OpenCA OCSP|access-date=3 January 2024}}</ref> Standalone OCSP responder from the OpenCA Project ([[C (programming language)|C]])

==== Proprietary ====

* Certificate Services <ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/windows/desktop/aa376539(v=vs.85).aspx|title=Certificate Services (Windows)|website=Windows Dev Center|publisher=[[Microsoft]]|date=2018|access-date=17 March 2018}}</ref> CA and OCSP responder included with Windows Server

=== Library ===

==== Open source ====

* cfssl<ref>{{cite web|url=https://godoc.org/github.com/cloudflare/cfssl/ocsp|title=Package ocsp|website=cfssl GoDoc|date=25 February 2018|access-date=17 March 2018}}</ref> (Go)
* [[OpenSSL]]<ref>{{cite web|url=https://www.openssl.org/docs/manmaster/man3/OCSP_basic_sign.html|title=OCSP_response_status|website=master manpages|publisher=[[OpenSSL]]|date=2017|access-date=17 March 2018}}</ref> ([[C (programming language)|C]])
* [[wolfSSL]]<ref>{{Cite web|url=https://www.wolfssl.com/ocsp-in-wolfssl-embedded-ssl-2/|title=OCSP in wolfSSL Embedded SSL – wolfSSL|date=2014-01-27|language=en-US|access-date=2019-01-25}}</ref> ([[C (programming language)|C]])

=== Client ===

{{further|Transport Layer Security#Applications and adoption|X.509#Major protocols and standards using X.509 certificates}}

== See also ==
*[[Certificate revocation list]]
*[[Certificate authority]]
*[[SCVP|Server-based Certificate Validation Protocol]]
*[[OCSP stapling]]
*[[Certificate Transparency]]

== References ==
{{Reflist}}

== External links ==
*[//tools.ietf.org/html/rfc2560 RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP]
*[//tools.ietf.org/html/rfc4806 RFC 4806, Online Certificate Status Protocol (OCSP) Extensions to IKEv2]
*[//tools.ietf.org/html/rfc5019 RFC 5019, The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments]
*[//tools.ietf.org/html/rfc6960 RFC 6960, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP]
* [https://web.archive.org/web/20131203092421/http://www.processor.com/editorial/article.asp?article=articles%2Fp3113%2F48p13%2F48p13.asp Processor.com April, 2009 article about Online Certificate Status Protocol]

{{Web browsers|fsp}}
{{SSL/TLS}}

[[Category:Public key infrastructure]]
[[Category:Cryptographic protocols]]
[[Category:Internet Standards]]
[[Category:Internet protocols]]
[[Category:Transport Layer Security]]
[[Category:Certificate revocation]]