In a recent Feisty Duck newsletter post titled “The slow death of OCSP” the author explains why the Online Certificate Status Protocol (OCSP) is gradually losing significance in the SSL/TLS ecosystem. It is interesting to understand what’s next for the protocol and have a quick look at how it came to be in the first place many years ago.
Originally conceived to provide real-time certificate revocation information, OCSP has been hampered by performance bottlenecks, occasional inaccuracies, and soft-fail browser implementations. In short, if an OCSP server is unreachable, most browsers proceed without a valid response, which leaves the door open for potential security gaps. As users, we never know when we’re protected and when we’re not.
The article looks at emerging approaches that promise to replace or complement OCSP. These include “must-staple” extensions (ensuring that certificates come bundled with valid revocation information), shorter certificate lifespans that reduce the need for revocation checks, and new technologies such as CRLite (more details at https://github.com/mozilla/crlite).
As the SSL/TLS landscape continues to evolve, the author highlights how these approaches may soon make OCSP and its real-time checks less relevant, emphasizing the importance for organizations to stay informed and adapt their certificate management practices.
Reference:
Feisty Duck, SSL/TLS & PKI News by Ivan Ristić, Issue 121 – The Slow Death of OCSP.