The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
RFC 5019
Document Type RFC - Proposed Standard (September 2007; Errata)
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Early Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5019 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          A. Deacon
Request for Comments: 5019                                      VeriSign
Category: Standards Track                                       R. Hurst
                                                               Microsoft
                                                          September 2007

   The Lightweight Online Certificate Status Protocol (OCSP) Profile
                      for High-Volume Environments

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This specification defines a profile of the Online Certificate Status
   Protocol (OCSP) that addresses the scalability issues inherent when
   using OCSP in large scale (high volume) Public Key Infrastructure
   (PKI) environments and/or in PKI environments that require a
   lightweight solution to minimize communication bandwidth and client-
   side processing.

Deacon & Hurst              Standards Track                     [Page 1]
RFC 5019                Lightweight OCSP Profile          September 2007

Table of Contents

   1. Introduction ....................................................3
      1.1. Requirements Terminology ...................................4
   2. OCSP Message Profile ............................................4
      2.1. OCSP Request Profile .......................................4
           2.1.1. OCSPRequest Structure ...............................4
           2.1.2. Signed OCSPRequests .................................5
      2.2. OCSP Response Profile ......................................5
           2.2.1. OCSPResponse Structure ..............................5
           2.2.2. Signed OCSPResponses ................................6
           2.2.3. OCSPResponseStatus Values ...........................6
           2.2.4. thisUpdate, nextUpdate, and producedAt ..............7
   3. Client Behavior .................................................7
      3.1. OCSP Responder Discovery ...................................7
      3.2. Sending an OCSP Request ....................................7
   4. Ensuring an OCSPResponse Is Fresh ...............................8
   5. Transport Profile ...............................................9
   6. Caching Recommendations .........................................9
      6.1. Caching at the Client .....................................10
      6.2. HTTP Proxies ..............................................10
      6.3. Caching at Servers ........................................12
   7. Security Considerations ........................................12
      7.1. Replay Attacks ............................................12
      7.2. Man-in-the-Middle Attacks .................................13
      7.3. Impersonation Attacks .....................................13
      7.4. Denial-of-Service Attacks .................................13
      7.5. Modification of HTTP Headers ..............................14
      7.6. Request Authentication and Authorization ..................14
   8. Acknowledgements ...............................................14
   9. References .....................................................14
      9.1. Normative References ......................................14
      9.2. Informative References ....................................15
   Appendix A. Example OCSP Messages .................................16
      A.1. OCSP Request ..............................................16
      A.2. OCSP Response .............................................16

Deacon & Hurst              Standards Track                     [Page 2]
RFC 5019                Lightweight OCSP Profile          September 2007

1.  Introduction

   The Online Certificate Status Protocol [OCSP] specifies a mechanism
   used to determine the status of digital certificates, in lieu of
   using Certificate Revocation Lists (CRLs).  Since its definition in
   1999, it has been deployed in a variety of environments and has
   proven to be a useful certificate status checking mechanism.  (For
   brevity we refer to OCSP as being used to verify certificate status,
   but only the revocation status of a certificate is checked via this
   protocol.)

   To date, many OCSP deployments have been used to ensure timely and
   secure certificate status information for high-value electronic
   transactions or highly sensitive information, such as in the banking
   and financial environments.  As such, the requirement for an OCSP
   responder to respond in "real time" (i.e., generating a new OCSP
   response for each OCSP request) has been important.  In addition,
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools