datatracker.ietf.org
Sign In
Version 5.1.0, 2014-03-05
Report a bug

The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
RFC 5019

Document type: RFC - Proposed Standard (September 2007)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html
IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned
IESG State: RFC 5019 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: pkix-chairs@tools.ietf.org, alex@verisign.com, rmh@microsoft.com
Email Authors | IPR Disclosures | Dependencies to this document | References | Referenced By | Check nits | History feed | Search Mailing Lists 
Network Working Group                                          A. Deacon
Request for Comments: 5019                                      VeriSign
Category: Standards Track                                       R. Hurst
                                                               Microsoft
                                                          September 2007

   The Lightweight Online Certificate Status Protocol (OCSP) Profile
                      for High-Volume Environments

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This specification defines a profile of the Online Certificate Status
   Protocol (OCSP) that addresses the scalability issues inherent when
   using OCSP in large scale (high volume) Public Key Infrastructure
   (PKI) environments and/or in PKI environments that require a
   lightweight solution to minimize communication bandwidth and client-
   side processing.

Deacon & Hurst              Standards Track                     [Page 1]
RFC 5019                Lightweight OCSP Profile          September 2007

Table of Contents

   1. Introduction ....................................................3
      1.1. Requirements Terminology ...................................4
   2. OCSP Message Profile ............................................4
      2.1. OCSP Request Profile .......................................4
           2.1.1. OCSPRequest Structure ...............................4
           2.1.2. Signed OCSPRequests .................................5
      2.2. OCSP Response Profile ......................................5
           2.2.1. OCSPResponse Structure ..............................5
           2.2.2. Signed OCSPResponses ................................6
           2.2.3. OCSPResponseStatus Values ...........................6
           2.2.4. thisUpdate, nextUpdate, and producedAt ..............7
   3. Client Behavior .................................................7
      3.1. OCSP Responder Discovery ...................................7
      3.2. Sending an OCSP Request ....................................7
   4. Ensuring an OCSPResponse Is Fresh ...............................8
   5. Transport Profile ...............................................9
   6. Caching Recommendations .........................................9
      6.1. Caching at the Client .....................................10
      6.2. HTTP Proxies ..............................................10
      6.3. Caching at Servers ........................................12
   7. Security Considerations ........................................12
      7.1. Replay Attacks ............................................12
      7.2. Man-in-the-Middle Attacks .................................13
      7.3. Impersonation Attacks .....................................13
      7.4. Denial-of-Service Attacks .................................13
      7.5. Modification of HTTP Headers ..............................14
      7.6. Request Authentication and Authorization ..................14
   8. Acknowledgements ...............................................14
   9. References .....................................................14
      9.1. Normative References ......................................14
      9.2. Informative References ....................................15
   Appendix A. Example OCSP Messages .................................16
      A.1. OCSP Request ..............................................16
      A.2. OCSP Response .............................................16

Deacon & Hurst              Standards Track                     [Page 2]
RFC 5019                Lightweight OCSP Profile          September 2007

1.  Introduction

   The Online Certificate Status Protocol [OCSP] specifies a mechanism
   used to determine the status of digital certificates, in lieu of
   using Certificate Revocation Lists (CRLs).  Since its definition in
   1999, it has been deployed in a variety of environments and has
   proven to be a useful certificate status checking mechanism.  (For
   brevity we refer to OCSP as being used to verify certificate status,
   but only the revocation status of a certificate is checked via this
   protocol.)

   To date, many OCSP deployments have been used to ensure timely and
   secure certificate status information for high-value electronic
   transactions or highly sensitive information, such as in the banking
   and financial environments.  As such, the requirement for an OCSP

[include full document text]