OCSP Stapling
Encyclopedia
OCSP stapling is an adjunct to the Online Certificate Status Protocol
(OCSP) for checking the revocation status of X.509
digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses, instead of the issuing Certificate Authority
(CA).
(CRL) approaches, however it can introduce a significant penalty for certificate authorities who are now required to provide responses to every client of a given certificate in real time. When the certificate is issued to a legitimate high traffic web site, for instance, this can result in enormous volumes of OCSP traffic, all of which serves to indicate that the certificate is valid and can be trusted.
OCSP checking also creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software) to confirm certificate validity. A way to verify validity without disclosing browsing behaviour would be desirable for this group of users.
. In a stapling scenario, the certificate owner queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped
response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the SSL/TLS Handshake
. It may appear that allowing the site operator to control verification responses introduces an opportunity for fraud. Since the response is signed by the certificate authority, not the certificate holder, though, and since lack of a valid stapled response will just cause the client to ask the OCSP server directly, there is actually no increased risk with this approach.
As a result, clients continue to have verifiable assurance from the certificate authority that the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means that the client software no longer needs to disclose users' browsing habits to any third party.
Overall performance is also improved: When the client has to fetch the signature from the certificate authority this usually involves the lookup of the domain name of their validation server in the DNS as well as establishing a connection to their server. When OCSP stapling is used the signature is delivered through the channel already established causing no additional delay.
project included support in their 0.9.8g release with the assistance of a grant from the Mozilla Foundation
.
Online Certificate Status Protocol
The Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track...
(OCSP) for checking the revocation status of X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses, instead of the issuing Certificate Authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
(CA).
Motivation
OCSP has several advantages over older Certificate Revocation ListCertificate revocation list
In the operation of some cryptosystems, usually public key infrastructures , a certificate revocation list is a list of certificates that have been revoked, and therefore should not be relied upon.-Revocation States:There are two different states of revocation defined in RFC 3280:* Revoked: A...
(CRL) approaches, however it can introduce a significant penalty for certificate authorities who are now required to provide responses to every client of a given certificate in real time. When the certificate is issued to a legitimate high traffic web site, for instance, this can result in enormous volumes of OCSP traffic, all of which serves to indicate that the certificate is valid and can be trusted.
OCSP checking also creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software) to confirm certificate validity. A way to verify validity without disclosing browsing behaviour would be desirable for this group of users.
Solution
OCSP stapling resolves both problems in a fashion reminiscent of the Kerberos TicketKerberos
Kerberos may refer to:* Cerberus, the hound of Hades * Kerberos saga, a science fiction series by Mamoru Oshii* Kerberos , a computer network authentication protocol* Kerberos Dante, a character from Saint Seiya...
. In a stapling scenario, the certificate owner queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped
Timestamp
A timestamp is a sequence of characters, denoting the date or time at which a certain event occurred. A timestamp is the time at which an event is recorded by a computer, not the time of the event itself...
response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the SSL/TLS Handshake
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
. It may appear that allowing the site operator to control verification responses introduces an opportunity for fraud. Since the response is signed by the certificate authority, not the certificate holder, though, and since lack of a valid stapled response will just cause the client to ask the OCSP server directly, there is actually no increased risk with this approach.
As a result, clients continue to have verifiable assurance from the certificate authority that the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means that the client software no longer needs to disclose users' browsing habits to any third party.
Overall performance is also improved: When the client has to fetch the signature from the certificate authority this usually involves the lookup of the domain name of their validation server in the DNS as well as establishing a connection to their server. When OCSP stapling is used the signature is delivered through the channel already established causing no additional delay.
Deployment
OCSP stapling is described in RFC 4366, section 3.6, but has not seen broad deployment to date, however this is changing. The OpenSSLOpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
project included support in their 0.9.8g release with the assistance of a grant from the Mozilla Foundation
Mozilla Foundation
The Mozilla Foundation is a non-profit organization that exists to support and provide leadership for the open source Mozilla project. The organization sets the policies that govern development, operates key infrastructure and controls trademarks and other intellectual property...
.