Subject: How many ways are there to do certificate revocation checking ?
Author: X509
In response to: Certificate Revocation Checking via OCSP
Posted on: 06/25/2010 10:16:23 PM
There are three ways to do certificate revocation checking:
1) Statically by CRL ( (Certificate Revocation List) files which are typically in local storage;
2) Dynamically by CRL Distribution Point (CRLDP) which is inside the target certificate as a URL typically pointing to the issuer's CA CRL repository;
3) Dynamically by OCSP to any server which provides Certificate Revocation Checking service.
>
> On 06/25/2010 10:00:03 PM X509 wrote:
What is OCSP?
OCSP stands for Online Certificate Status Protocol which is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
References: