OCSP stands for Online Certificate Status Protocol, which is an internet protocol used for obtaining the revocation status of an X.509 digital certificate. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI) . OCSP enables real-time status checks on security certificates and is fundamental to the extended validation of Secure Socket Layer (SSL) certificates. When a user requests the validity of a certificate, an OCSP request is sent to an OCSP Responder. This checks the specific certificate with a trusted certificate authority and an OCSP response is sent back with a response of either ‘good’, ‘revoked’ or ‘unknown’ . OCSP checking creates a privacy concern for some users, since it requires the client to contact a third party to confirm certificate validity. OCSP stapling is a way to verify validity without disclosing browsing behavior to the CA.
In summary, OCSP is a protocol used to check the revocation status of digital certificates, and it is an alternative to CRL. It enables real-time status checks on security certificates and is fundamental to the extended validation of SSL certificates. OCSP stapling is a way to improve the performance of OCSP by positioning a digitally-signed and time-stamped version of the OCSP response directly on the webserver.
