[MS-OCSP]: Overview (2024)

The Online Certificate Status Protocol (OCSP), described in [RFC2560], provides amechanism, as a supplement to checking against a periodic certificate revocation list(CRL), to obtain timely information regarding the revocation status of a certificate (see [RFC3280] section3.3). OCSP enables applications to determine the revocation state of anidentified X.509 certificate (see [X509] ). TheLightweight Online Certificate Status Protocol (OCSP) Profile for High-VolumeEnvironments ([RFC5019])provides a profile of OCSP that specifies a subset of the functionality of thecomplete OCSP defined in [RFC2560]. OCSP Extensionsspecifies the data that needs to be exchanged between an application thatchecks the status of a certificate and the responder that provides thestatus.

OCSP is a component of a public key infrastructure (PKI).A PKI consists of a system of digital certificates, certificationauthorities (CAs), and other registration authorities (RAs)that verify and authenticate the validity of each party involved in anelectronic transaction through the use of public key cryptography.

The certificate status received as a result of using OCSP isknown as a response from an OCSP responder. The OCSP request/response process involves anumber of different machines (or functions that might be hosted on the samemachine), as indicated in Figure 1.

Figure 1: Response from an OCSP

In the preceding figure, the principal components are asfollows:

1. CA: Thecertification authority that provides certificate status information to theOCSP responder through the use of CRLs.

2. Relying party (RP): Theresource guard that validates a certificate chain and contacts an OCSPresponder to request certificate status.

3. OCSPresponder: An authoritative source for certificate revocation status (see[RFC3280] section 3.3). The protocols and data structures used for OCSP aredefined in section 2.2.The connection over which OCSP is conducted is shown in the preceding figure asa solid bold horizontal line.