OCSP Request Considerations

This section summarizes the considerations for configuring OCSP requests.

Including a Nonce in the OCSP Request

The choice of whether to use nonces (refer to the Glossary for a definition) in your configuration depends on the specific security needs of your organization. In most cases, the use of a nonce is unnecessary and may decrease the overall security and performance of a PKI deployment.

Check with the responder administrator for more detailed information about when and if OCSP requests can or should include a nonce.

Digital Signing of OCSP Requests

Digitally signing OCSP requests is a practice used at some sites when the OCSP responder requires assurance about the source of an OCSP request. Processing signed requests takes additional time and responder processor resources compared with processing unsigned requests. Requiring that requests be digitally signed can make the responder vulnerable to a flooding attack, while adding little extra security. HID Global does not recommend enabling digital signing of OCSP requests unless explicitly required.

Sending OCSP Requests using HTTP GET or POST

By default, the Validation Client sends all OCSP requests using HTTP POST. This behavior can be overridden so that the Validation Client follows the recommendation of the Lightweight OCSP Profile (RFC 5019) that clients should use HTTP GET to send OCSP requests when the entire URL contains 255 characters or fewer and HTTP POST when there are more than 255 characters. For more information, see Section Configure OCSP Response Acceptance.