The major browser manufacturers and certificate issuers are temporarily putting an end to their support for Online Certificate Status Protocol (OCSP) and will in future fully rely on revocation lists (Certificate Revocation List, CRL) that are updated regularly, but not in real time. According to the commitment of the bodies organized in the “CA/Browser Forum”, these will be updated more quickly in the future.
Advertisement
That forum, abbreviated CAB, is an association of browser manufacturers and certificate authorities (CAs). In its so-called “Baseline Requirements”, the committee standardizes the Internet-wide handling of certificates according to the ITU-T standard X.509, commonly known as “TLS certificates”.
In some cases, such certificates must be withdrawn before they expire. This happens, for example, if the private key belonging to the certificate is unsuitable or compromised, the certificate was issued illegally or it contains incorrect information.
This process, known as “revocation”, can take place in two ways: The responsible CA enters the serial number of the revoked certificate in a “Certificate Revocation List” (CRL), i.e. a list that is downloaded by remote devices such as browsers and used with each new TLS request. Connection is checked. In order to get rid of the unwieldy lists – the German research network DFN alone maintains around 700 of them – experts designed the OCSP protocol. The idea: Instead of downloading a list in the background and laboriously going through it to find the certificate you are looking for, the browser receives information about its status in real time.
However, OCSP suffered from problems from the start that severely limited its usability in practice. The verification services, called OCSP Responder, were not very stable and browser manufacturers such as Google saw the online query of certificate information as a threat to privacy. This left only the CRLs, whose position is now strengthened.
Game, set, win for CRLs
As of today, March 15, certificate issuers must publish a complete CRL and certificates must appear there no later than 24 hours after they are revoked. Apple and Mozilla had already made this a condition for trustworthy CAs in 2022. If a CA wants to continue to support OCSP, it is free to do so – but it is no longer mandatory.
It is therefore to be expected that support for OCSP among certification authorities will quickly wane and the protocol will disappear into obscurity.
Aside from web server certificates, OCSP also caused trouble in German medicine. Gematik blames difficulties with the protocol for recurring failures in the telematics infrastructure (TI). Medical practices rely on TI to issue electronic prescriptions and certificates.
(cku)