11.2.5.2. Online Certificate Status Protocol (OCSP) stapling

Online Certificate Status Protocol (OCSP) stapling is an alternative to the so far available Certificate Revocation Lists (CRL) in verifying the validity of certificates. The protocol is described in details in IETF RFC 6960. With OCSP stapling it is possible to define to what level of strictness, the encryption policies shall check the revocation status of the certificates.

Online Certificate Status Protocol stapling provides the following benefits:

  • The solution enables a more convenient solution of assigning server operators to keep revocation information up-to-date instead of requiring that from clients.

  • Due to the smaller size of the used traffic data during OCSP stapling compared to CRL processes, the network load is smaller as well.

  • Clients can verify the revocation state of a certificate with minor overhead.

OCSP stapling provides a potentially faster revocation state with less traffic. The responsibility of obtaining a certificate revocation state is moved from the client (e.g. web-browser) to the server. The servers fetch revocation information of their certificates and cache this information for a short period of time. When a client attempts to establish a secure connection with the server, the server staples the revocation state to the certificate it is sending to the client.

For more details, see Section 3.2.4, Configuring Encryption policies in Zorp Professional 7 Reference Guide.