Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
An online certificate status protocol (OCSP) is one of the two protocols aside from certificate revocation lists (CRL) for maintaining the security of servers and other network resources. It is used for getting an X.509 digital certificate’s revocation status. The messages transmitted via OCSP over HTTP are encoded in ASN.1, which is a set of notations that describe rules and structures in telecommunications and networking. The OCSP servers are called OCSP responders because of the request/response nature of the transmission between them and the client. OCSP was actually created as an alternative for CRL to address certain problems regarding the use of CRLs in public key infrastructure (PKI).
OCSP has many advantages over CRL. It overcomes CRL’s prime limitation: the fact that frequent downloads are required to keep things current at the client’s side. OCSP also uses very few network resources because it contains less information than a CRL. Clients do not need to parse CRLs when using OCSP, which benefits end users by reducing complexity, but this is balanced by the need to sustain a cache. OCSP does not need to be encrypted, so when it discloses information about a particular node using some form of certificate to the responder, this information could be intercepted by third parties.
In the event that a user attempts to access a server, the OCSP responder replies with a request for their certificate status information. The server the user is accessing then responds with the certificate status, which may be "current," "expired" or even "unknown." From there, the protocol chooses a specific syntax for the communication between the server and the client application.