OCSP Validation

OCSP is an internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is an alternative to certificate revocation lists (CRL). It addresses certain problems associated with deploying CRLs in large PKI environments.

Comparing to CRLs, an OCSP response contains less information. It creates fewer burdens on network and client resources. There is also less data to parse, the client-side libraries that handle it can be less complex than those that handle CRLs.

OCSP can support more than one level of Certificate Authorities (CA). OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other's responses against the root CA using their own OCSP requests.

 

Topics in this section: