Hi, OCSP stands for Online Certificate Status Protocol. This, as the name suggests specifies a protocol to obtain the Status of a Certificate Online.
There can be many reasons for a certificate to become invalid even before its actual lifetime for which it was issued. These may be Key Compromise etc etc.. Each CA maintains a list of all the revoked certificates. That list is called as the Certificate Revocation List (CRL). Our aim is to obtain the status of a certificate ie Valid or Invalid. To be more techincal Revoked or Not Revoked. One method of knowing this is using the LDAP protocol. Use this protocol a user can download the CRL and check it with the Serial Number of the Certificate in Question. If the serial number is found, it means the Certificate is revoked else the user can assume that the Certificate is not revoked. This requires a lot of memory in your system as the CRL size keep on increasing. For that reason the OCSP protocol was born. This might be the author's intention in bringing up this protocol. There is a server called an OCSP responder. This server will maintain all the certificates that are revoked for a particular CA. (The CA may itself be an OCSP responder also). User constructs an OCSP request as per the protocol with all the details of the Certificate for which the revocation status has to be found. The responder will respond with the status of that certificate saying whether it is GOOD, REVOKED or UNKOWN. This is my understanding of the OCSP protocol. I hope this helps... Regards Suram ----- Original Message ----- From: Issac Goldstand <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 08, 2002 1:17 AM Subject: newbie question on OCSP Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
