Online Certificate Status Protocol

From Wikipedia, the free encyclopedia - View original article

 
Jump to: navigation, search

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Comparison to CRLs[edit]

Basic PKI implementation[edit]

  1. Alice and Bob have public key certificates issued by Ivan, the Certificate Authority (CA).
  2. Alice wishes to perform a transaction with Bob and sends him her public key certificate.
  3. Bob, concerned that Alice's private key may have been compromised, creates an 'OCSP request' that contains Alice's certificate serial number and sends it to Ivan.
  4. Ivan's OCSP responder reads the certificate serial number from Bob's request. The OCSP responder uses the certificate serial number to look up the revocation status of Alice's certificate. The OCSP responder looks in a CA database that Ivan maintains. In this scenario, Ivan's CA database is the only trusted location where a compromise to Alice's certificate would be recorded.
  5. Ivan's OCSP responder confirms that Alice's certificate is still OK, and returns a signed, successful 'OCSP response' to Bob.
  6. Bob cryptographically verifies Ivan's signed response. Bob has stored Ivan's public key sometime before this transaction. Bob uses Ivan's public key to verify Ivan's response.
  7. Bob completes the transaction with Alice.

Protocol details[edit]

An OCSP responder - a server typically run by the certificate issuer - may return a signed response signifying that the certificate specified in the request is 'good', 'revoked' or 'unknown'. If it cannot process the request, it may return an error code.

The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.

OCSP can be vulnerable to replay attacks, where a signed, 'good' response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP overcomes this by allowing a nonce to be included in the request that must be included in the corresponding response. However, since most OCSP responders and clients do not support or use the nonce extension and Certificate Authorities (CAs) issue responses with a validity period of multiple days, the replay attack is a major threat to validation systems.

OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other's responses against the root CA using their own OCSP requests.

An OCSP responder may be queried for revocation information by delegated path validation (DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.

The key that signs a response need not be the same key that signed the certificate. The certificate's issuer may delegate another authority to be the OCSP responder. In this case, the responder's certificate (the one that is used to sign the response) must be issued by the issuer of the certificate in question, and must include a certain extension that marks it as an OCSP signing authority (more precisely, an extended key usage extension with the OID {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) keyPurpose(3) ocspSigning(9)})

Privacy concerns[edit]

OCSP checking creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software vendor) to confirm certificate validity. OCSP Stapling is a way to verify validity without disclosing browsing behavior.

Criticisms[edit]

OCSP-based revocation is not an effective technique to mitigate against the compromise of a HTTPS server's private key. An attacker who has compromised a server's private key typically needs to be in a Man-in-the-middle position on the network to abuse that private key and impersonate a server. An attacker in such a position is also typically in a position to interfere with the client's OCSP queries. Because most clients will silently ignore OCSP if the query times out, OCSP is not a reliable means of mitigating HTTPS server key compromise.[1]

The MustStaple TLS extension in a certificate can require that the certificate be verified by a stapled OCSP response, mitigating this problem. OCSP also remains a valid defense against situations where the attacker is not a "man-in-the-middle" (code-signing or certificates issued in error).

Browser support[edit]

See also[edit]

References[edit]

  1. ^ "No, Don't Enable Revocation Checking". 19 April 2014. Retrieved 24 April 2014. 
  2. ^ "Federal Desktop Core Configuration (FDCC) solution". Microsoft. Retrieved June 2010. 
  3. ^ "Mozilla Bug 110161 - Enable OCSP by Default". Mozilla. 1 October 2007. Retrieved 18 July 2010. 
  4. ^ Wisniewski, Chester (26 March 2011). "Apple users left to defend themselves against certificate attacks". Sophos. Retrieved 26 March 2011. 
  5. ^ Pettersen, Yngve Nysæter (November 9, 2006). "Introducing Extended Validation Certificates". Opera Software. Retrieved 8 January 2010. 
  6. ^ Pettersen, Yngve Nysæter (3 July 2008). "Rootstore newsletter". Opera Software. Retrieved 8 January 2010. 
  7. ^ https://www.imperialviolet.org/2012/02/05/crlsets.html

External links[edit]