OCSP Responder Considerations

In order to validate the revocation status of a digital certificate, the Validation Extension needs the URL of an OCSP responder to which it will send the request. A number of mechanisms are available to determine the URL.

Many certificates include a responder URL in a designated AIA field. By default, the Validation Extension checks the contents of the AIA field.

Additionally, you can configure a set of responder URLs for a specific certificate issuer (that is, Issuer-Responder mappings) that the Validation Extension queries. This is useful in a PKI where the AIA field is unused or inconsistent.

You can also configure a fallback OCSP responder for the Validation Extension to use when a URL cannot be determined by either of the first two methods. If you enable and configure a Fallback Responder, every OCSP request that the Validation Extension receives will be sent to the Fallback Responder for validation when no other responder URL can be determined. In other words,

the Validation Extension will never be unable to determine a responder for a given certificate – the Fallback Responder ensures that the Validation Extension can always determine a responder for any certificate being checked.

Caution should be used when enabling a Fallback Responder. Use it only if you can guarantee that the Fallback Responder can provide a response for the status of any certificate that might be validated on a user’s machine. Many applications, including the Microsoft Windows operating system, routinely make use of digital certificates to guarantee the integrity of programs being executed. Unexpected results and disruption of a user’s applications may occur if the status of these types of certificates is unexpectedly reported as Unknown.

The responder URL is determined by using the available mechanisms as follows:

If CRL Caching is enabled, and the cache is configured with URLs, the certificate is validated using a CRL in the list in the order in which the CRLs are configured, unless the Use OCSP before cached CRLs option (on the CRL Cache tab of the Validation Extension Management Console) is selected.

If Issuer-Responder Mappings are present and the issuer of the certificate being validated is found in the list of mappings, mapped URLs for that issuer are used.

If AIA Checking is enabled, the value of the AIA field is used if that field is present in the certificate being validated.

If the Fallback Responder option is enabled and configured, the Fallback Responder URL is used.