2 - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - X

OCSP

Click on the red underlined text to get to the source

... in section 5. We cover security issues with the protocol in section 6. Appendix A defines OCSP over HTTP, appendix B accumulates ASN.1 ...

2. Protocol Overview

... The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state ...

... revocation) state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of ...

... CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder ...

... OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate ...

... An OCSP request contains the following data: ...

... optional extensions which MAY be processed by the OCSP Responder ...

... Upon receipt of a request, an OCSP Responder determines if: ...

... the request contains the information needed by the responder If any one of the prior conditions are not met, the OCSP responder produces an error message ...

... OCSP responses can be of various types. An OCSP response consists of a response type and the bytes of the actual response. There is one ...

... OCSP responses can be of various types. An OCSP response consists of a response type and the bytes of the actual response. There is one basic type of OCSP response ...

... OCSP response consists of a response type and the bytes of the actual response. There is one basic type of OCSP response that MUST be supported by all OCSP servers and clients ...

... a response type and the bytes of the actual response. There is one basic type of OCSP response that MUST be supported by all OCSP servers and clients. The rest of this section pertains only to this ...

... CA, indicating that the responder may issue OCSP responses for that CA ...

... In case of errors, the OCSP Responder may return an error message. ...

... A server produces the "malformedRequest" response if the request received does not conform to the OCSP syntax. ...

... The response "internalError" indicates that the OCSP responder reached an inconsistent internal state ...

... In the event that the OCSP responder is operational, but unable to return a status for the requested certificate ...

... available about the status of the certificate - producedAt: The time at which the OCSP responder signed this response. ...

... OCSP responders MAY pre-produce signed responses specifying the status of certificates ...

... OCSP Signature Authority Delegation ...

... certificate's issuer explicitly delegates OCSP signing authority by issuing a certificate ...

... authority by issuing a certificate containing a unique value for extendedKeyUsage in the OCSP signer's certificate ...

... If an OCSP responder knows that a particular CA's private key ...

3. Functional Requirements

... In order to convey to OCSP clients a well-known point of information ...

... RFC2459], section 4.2.2.1) in certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider ...

... certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP ...

... OCSP provider may be configured locally at the OCSP client. ...

... CAs that support an OCSP service, either hosted locally or provided by an Authorized Responder ...

... defines the transport (e.g. HTTP) used to access the OCSP responder and may contain other transport ...

... Prior to accepting a signed response as valid, OCSP clients SHALL confirm that: ...

4. Detailed Protocol

... The requestor MAY choose to sign the OCSP request. In that case, the signature is computed over the tbsRequest structure. If the request ...

... field. Also, for signed requests, the requestor MAY include certificates that help the OCSP responder verify the requestor's signature ...

... ASN.1 Specification of the OCSP Response ...

... An OCSP response at a minimum consists of a responseStatus field indicating the processing status of the prior request. If the value of responseStatus is one of the error conditions ...

... For a basic OCSP responder, responseType will be id-pkix-ocsp-basic. ...

... OCSP responders SHALL be capable of producing responses of the id- pkix-ocsp-basic response type. Correspondingly, OCSP ...

... OCSP responders SHALL be capable of producing responses of the id- pkix-ocsp-basic response type. Correspondingly, OCSP clients SHALL be capable of receiving ...

... Notes on OCSP Responses ...

... so. Therefore, a certificate's issuer MUST either sign the OCSP responses itself or it MUST explicitly designate this authority to another entity ...

... authority to another entity. OCSP signing delegation SHALL be designated by the ...

... delegation SHALL be designated by the inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate extension included in the OCSP response signer's certificate. This ...

... Systems or applications that rely on OCSP responses MUST be capable of detecting and enforcing use of the id-ad-ocspSigning value as described above. They MAY provide a means of locally configuring one ...

... of detecting and enforcing use of the id-ad-ocspSigning value as described above. They MAY provide a means of locally configuring one or more OCSP signing authorities, and specifying the set of CAs ...

... Matches a local configuration of OCSP signing authority for the ...

... Since an Authorized OCSP responder provides status information for one or more CAs ...

... responder provides status information for one or more CAs, OCSP clients need to know how to check that an authorized responder ...

... A CA may specify that an OCSP client can trust a responder ...

... responder's certificate, in which case, it would be up to the OCSP client's local security policy to decide whether that ...

... Clients that request OCSP services SHALL be capable of processing responses signed used DSA ...

... signatures as specified in section 7.2.1 of [RFC2459]. OCSP responders SHALL support the SHA1 hashing algorithm ...

... responders. For each extension, the definition indicates its syntax, processing performed by the OCSP Responder, and any extensions which are included in the corresponding response. ...

... It may be desirable for the OCSP responder to indicate the CRL on ...

... which a revoked or onHold certificate is found. This can be useful where OCSP is used between repositories, and also as an auditing mechanism. The CRL may be specified by a URL ...

... An OCSP client MAY wish to specify the kinds of response types it understands. To do so, it SHOULD use an extension with the OID ...

... As noted in section 4.2.1, OCSP responders SHALL be capable of responding with responses of the id-pkix-ocsp-basic response type. ...

... responders SHALL be capable of responding with responses of the id-pkix-ocsp-basic response type. Correspondingly, OCSP clients SHALL be capable of receiving and ...

... An OCSP responder MAY choose to retain revocation information beyond ...

... OCSP-enabled applications would use an OCSP archive cutoff date to ...

... OCSP-enabled applications would use an OCSP archive cutoff date to contribute to a proof that a digital signature ...

... OCSP servers that provide support for such historical reference SHOULD include an archive cutoff date extension in responses. If ...

... SHOULD include an archive cutoff date extension in responses. If included, this value SHALL be provided as an OCSP singleExtensions extension identified by id-pkix-ocsp-archive-cutoff and of syntax ...

... An OCSP server may be operated in a mode whereby the server receives a request and routes it to the OCSP server which is known to be ...

... An OCSP server may be operated in a mode whereby the server receives a request and routes it to the OCSP server which is known to be authoritative for the identified certificate. The serviceLocator ...

5. Security Considerations

... after the certificate has been revoked. Deployments of OCSP should carefully evaluate the benefit of precomputed responses against the probability of a replay attack ...

... responder they are directed to. This allows an attacker to replay a request to any number of OCSP responders. ...

... HTTP cache mechanisms into account when deploying OCSP over HTTP. ...

8. Appendix A.

... A.1 OCSP over HTTP ...

... HTTP based OCSP requests can use either the GET or the POST method to submit their requests. To enable HTTP ...

... privacy is a requirement, OCSP transactions exchanged using HTTP MAY be ...

... An OCSP request using the GET method is constructed as follows: ...

... where {url} may be derived from the value of AuthorityInfoAccess or other local configuration of the OCSP client. ...

... An OCSP request using the POST method is constructed as follows: The Content-Type ...

... An HTTP-based OCSP response is composed of the appropriate HTTP headers, followed by the binary value of the DER encoding ...

9. Appendix B. OCSP in ASN.1

... Appendix B. OCSP in ASN.1 ...

... OCSP DEFINITIONS EXPLICIT TAGS::= ...

10. Appendix C. MIME registrations

... PKIX Working Group Draft on Online Certificate Status Protocol - OCSP Applications which use this media type ...

... Applications which use this media type: OCSP clients ...

... PKIX Working Group Draft on Online Certificate Status Protocol - OCSP Applications which use this media type ...

... Applications which use this media type: OCSP servers Additional information: ...

2 - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - X

Previous | Next

Frontpage | Contents | Keywords

RFC-Ref.org

Sister Sites

Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org