438:
420:
The OCSP protocol assumes the requester has network access to connect to an appropriate OCSP responder. Some requesters may not be able to connect because their local network prohibits direct
Internet access (a common practice for internal nodes in a data center). Forcing internal servers to connect
379:
The key that signs a response need not be the same key that signed the certificate. The certificate's issuer may delegate another authority to be the OCSP responder. In this case, the responder's certificate (the one that is used to sign the response) must be issued by the issuer of the certificate
326:
Carol's OCSP responder reads the certificate serial number from Bob's request. The OCSP responder uses the certificate serial number to look up the revocation status of Alice's certificate. The OCSP responder looks in a CA database that Carol maintains. In this scenario, Carol's CA database is the
409:
position on the network to abuse that private key and impersonate a server. An attacker in such a position is also typically in a position to interfere with the client's OCSP queries. Because most clients will silently ignore OCSP if the query times out, OCSP is not a reliable means of mitigating
364:
to be included in the request that may be included in the corresponding response. Because of high load, most OCSP responders do not use the nonce extension to create a different response for each request, instead using presigned responses with a validity period of multiple days. Thus, the replay
368:
OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other's responses against the root CA using their own OCSP requests.
349:
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.
272:
to provide OCSP service, but this requirement was removed in August 2023, instead making CRLs required again. Let's
Encrypt has announced their intention to end OCSP service as soon as possible, citing privacy concerns and operational simplicity.
404:
OCSP-based revocation is not an effective technique to mitigate against the compromise of an HTTPS server's private key. An attacker who has compromised a server's private key typically needs to be in a
392:
OCSP checking creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software vendor) to confirm certificate validity.
300:
OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.
504:
is an outlier. Google disabled OCSP checks by default in 2012, citing latency and privacy issues and instead uses their own update mechanism to send revoked certificates to the browser.
1056:
417:
response, mitigating this problem. OCSP also remains a valid defense against situations where the attacker is not a "man-in-the-middle" (code-signing or certificates issued in error).
360:, where a signed, 'good' response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP allows a
337:
Bob cryptographically verifies Carol's signed response. Bob has stored Carol's public key some time before this transaction. Bob uses Carol's public key to verify Carol's response.
1494:
1528:
323:
Bob, concerned that Alice's private key may have been compromised, creates an 'OCSP request' that contains Alice's certificate serial number and sends it to Carol.
489:
on macOS supports OCSP checking. It is enabled by default as of Mac OS X 10.7 (Lion). Prior to that, it has to be manually activated in
Keychain preferences.
429:
protocol is an alternative that allows servers to cache OCSP responses, which removes the need for the requestor to directly contact the OCSP responder.
380:
in question, and must include a certain extension that marks it as an OCSP signing authority (more precisely, an extended key usage extension with the
1134:
2928:
2804:
865:
Korzhitskii, Nikita; Carlsson, Niklas (2021). "Revocation
Statuses on the Internet". In Hohlfeld, Oliver; Lutu, Andra; Levin, Dave (eds.).
262:
certificates, while others have disabled it. Most OCSP revocation statuses on the
Internet disappear soon after certificate expiration.
2749:
745:
2755:
822:
2899:
2743:
1555:
1499:
896:
659:
3200:
3021:
353:
The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.
3225:
384:{iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) keyPurpose(3) ocspSigning(9)})
3245:
2943:
2731:
2702:
870:
1160:
663:
3230:
3164:
1372:
922:"[Servercert-wg] IPR Review period for SC63: Make OCSP optional, require CRLs, and incentivize automation"
717:
Santesson, Stefan; Myers, Michael; Ankney, Rich; Malpani, Ambarish; Galperin, Slava; Adams, Carlisle (June 2013).
3250:
2856:
921:
771:
3169:
2766:
2412:
2368:
1221:
2981:
2951:
2850:
2533:
1241:
3240:
3235:
2961:
2831:
2185:
2018:
1957:
999:
674:
594:
587:
283:
224:
124:
1519:
RFC 5019, The
Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
437:
3142:
2905:
2664:
2042:
1548:
44:
1081:
3001:
2933:
2872:
2578:
2427:
2274:
1191:
574:
373:
228:
3122:
3085:
3052:
2725:
2711:
2309:
1428:
694:
646:
636:
601:
797:
2883:
2867:
2772:
413:
The MustStaple TLS extension in a certificate can require that the certificate be verified by a
2862:
2826:
2737:
2608:
2146:
2088:
1962:
1867:
1777:
1763:
314:
205:
947:
3189:
3090:
2810:
2695:
2659:
2628:
2553:
2543:
2503:
1892:
1648:
1541:
1034:
679:
265:
1524:
RFC 6960, X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol – OCSP
1509:
RFC 2560, X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol – OCSP
2669:
2593:
2563:
2523:
2513:
2214:
2155:
2003:
1941:
1787:
1668:
844:
517:
486:
17:
1458:
8:
2508:
2493:
2457:
2407:
2392:
2209:
2190:
2165:
2093:
1832:
1792:
1711:
1217:
513:
493:
461:
453:
422:
361:
294:
216:
144:
320:
Alice wishes to perform a transaction with Bob and sends him her public key certificate.
3106:
2821:
2498:
2462:
2442:
2397:
2324:
2259:
2254:
2098:
2083:
2037:
1887:
1812:
1603:
874:
529:
525:
521:
240:
1107:
976:
3057:
2783:
2618:
2588:
2333:
2078:
1782:
1608:
1402:
902:
892:
533:
480:
457:
449:
406:
381:
331:
220:
209:
718:
330:
Carol's OCSP responder confirms that Alice's certificate is still OK, and returns a
3062:
2878:
2816:
2688:
2343:
2244:
2200:
1912:
1857:
1613:
884:
570:
541:
376:(DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.
269:
177:
167:
157:
327:
only trusted location where a compromise to Alice's certificate would be recorded.
2788:
2568:
2422:
2402:
1797:
1489:
888:
476:
227:(CRL), specifically addressing certain problems associated with using CRLs in a
181:
171:
161:
2029:
1902:
1847:
1827:
1195:
1164:
1082:"What's New in Certificate Revocation in Windows Vista and Windows Server 2008"
552:
102:
3219:
2843:
2778:
2279:
1842:
1802:
1772:
1623:
1484:
906:
689:
501:
465:
426:
414:
393:
357:
310:
977:"Security Certificate Revocation Awareness: The case for "OCSP Must-Staple""
396:
is a way to verify validity without disclosing browsing behavior to the CA.
3137:
2911:
2638:
2518:
2417:
2353:
2348:
2338:
2289:
2284:
2229:
1836:
537:
1529:
Processor.com April, 2009 article about Online
Certificate Status Protocol
600:
OpenCA OCSP Responder
Standalone OCSP responder from the OpenCA Project (
2623:
2603:
2472:
2437:
2373:
2299:
2062:
1951:
1946:
1897:
1872:
1862:
1706:
1663:
1658:
1564:
1351:
1254:
1168:
251:
614:
Certificate Services CA and OCSP responder included with Windows Server
3184:
2528:
2314:
2304:
2249:
2239:
2108:
1931:
1882:
1852:
1653:
1514:
RFC 4806, Online Certificate Status Protocol (OCSP) Extensions to IKEv2
469:
739:
737:
735:
580:
DogTag, Open source certificate authority CA, CRL and OCSP responder.
3179:
2991:
2956:
2363:
2358:
2219:
2052:
2047:
2008:
1977:
1972:
1936:
1877:
1730:
1380:
1085:
1060:
2996:
2986:
2971:
2613:
2477:
2294:
2224:
2180:
2175:
2057:
1982:
1967:
1135:"Apple users left to defend themselves against certificate attacks"
879:
732:
664:
X.509 § Major protocols and standards using X.509 certificates
544:
202:
3036:
3031:
3016:
3006:
2573:
2558:
2432:
2170:
2103:
1921:
1822:
1436:
1325:
1111:
642:
632:
593:
XiPKI, CA and OCSP responder. With support of RFC 6960 and SHA3 (
290:
255:
1523:
1518:
1513:
1508:
239:. The "request/response" nature of these messages leads to OCSP
3194:
3147:
3127:
3026:
3011:
2976:
2633:
2598:
2583:
2548:
2452:
2383:
2269:
2264:
2234:
2160:
1994:
1926:
1817:
1807:
1725:
1678:
1533:
1503:
1259:
1138:
372:
An OCSP responder may be queried for revocation information by
297:
that handle it can be less complex than those that handle CRLs.
130:
2680:
3174:
3132:
2966:
2761:
2538:
2447:
1701:
1673:
1636:
991:
583:
548:
259:
232:
213:
1282:
445:
There is wide support for OCSP amongst most major browsers:
2467:
2013:
1696:
1631:
716:
684:
286:(CRL), it puts less burden on network and client resources.
236:
970:
968:
2113:
1643:
1303:
823:"Are revoked certificates detected in Safari and Chrome?"
660:
Transport Layer Security § Applications and adoption
282:
Since an OCSP response contains less data than a typical
421:
to the Internet in order to use OCSP contributes to the
1057:"Windows XP Certificate Status and Revocation Checking"
965:
764:
1576:
496:
from 8.0 to the current version support OCSP checking.
569:
Boulder, CA and OCSP responder developed and used by
520:
OCSP implementations exist, including fully featured
231:(PKI). Messages communicated via OCSP are encoded in
746:"How To Configure OCSP Stapling on Apache and Nginx"
864:
3217:
1500:Public Key Infrastructure: Operational Protocols
365:attack is a major threat to validation systems.
317:issued by Carol, the certificate authority (CA).
2726:Transport Layer Security / Secure Sockets Layer
1304:"EJBCA – Open Source PKI Certificate Authority"
1161:"Introducing Extended Validation Certificates"
2929:Export of cryptography from the United States
2696:
1549:
1215:
1159:Pettersen, Yngve Nysæter (November 9, 2006).
1108:"Mozilla Bug 110161 – Enable OCSP by Default"
997:
2805:Automated Certificate Management Environment
1024:RFC 6960, section 5, Security Considerations
685:Server-based Certificate Validation Protocol
219:. It is described in RFC 6960 and is on the
131:Secure/Multipurpose Internet Mail Extensions
1242:"Chrome does certificate revocation better"
719:"History for draft-ietf-pkix-rfc2560bis-20"
304:
223:track. It was created as an alternative to
2750:DNS-based Authentication of Named Entities
2703:
2689:
1556:
1542:
1132:
2756:DNS Certification Authority Authorization
1189:
1158:
974:
878:
743:
712:
710:
340:Bob completes the transaction with Alice.
1493:) is being considered for deletion. See
1459:"OCSP in wolfSSL Embedded SSL – wolfSSL"
1190:Pettersen, Yngve Nysæter (3 July 2008).
919:
528:for building custom applications. OCSP
436:
289:Since an OCSP response has less data to
14:
3218:
2900:Domain Name System Security Extensions
2744:Application-Layer Protocol Negotiation
1244:, April 21, 2014, Larry Seltzer, ZDNet
1218:"Revocation checking and Chrome's CRL"
1126:
1035:"No, Don't Enable Revocation Checking"
920:Barreira, Inigo (September 28, 2023).
707:
268:(CAs) were previously required by the
2684:
2134:
1751:
1575:
1537:
1133:Wisniewski, Chester (26 March 2011).
873:. Vol. 12671. pp. 175–191.
276:
778:. GMO GlobalSign Inc. August 1, 2014
334:, successful 'OCSP response' to Bob.
945:
798:"CA/Revocation Checking in Firefox"
387:
344:
184:: OCSP Nonce Extension Enhancements
24:
2838:Online Certificate Status Protocol
507:
432:
235:and are usually communicated over
195:Online Certificate Status Protocol
36:Online Certificate Status Protocol
25:
3262:
2732:Datagram Transport Layer Security
1497:to help reach a consensus. ›
1476:
483:enables OCSP checking by default.
3165:Certificate authority compromise
2135:
1563:
1373:"Certificate Services (Windows)"
623:
3170:Random number generator attacks
2857:Extended Validation Certificate
2710:
1451:
1421:
1395:
1365:
1344:
1318:
1296:
1275:
1247:
1235:
1224:from the original on 2012-02-12
1209:
1183:
1152:
1100:
1074:
1049:
1027:
1018:
998:Keeler, David (July 29, 2013).
2767:HTTP Strict Transport Security
939:
913:
867:Passive and Active Measurement
858:
837:
815:
790:
608:
563:
441:OCSP information on Firefox 89
13:
1:
1482:
979:. Gibson Research Corporation
700:
410:HTTPS server key compromise.
399:
2851:Domain-validated certificate
1216:Langley, Adam (5 Feb 2012).
948:"Intent to End OCSP Service"
889:10.1007/978-3-030-72582-2_11
225:certificate revocation lists
7:
2832:Certificate revocation list
1306:. PrimeKey. 2 February 2018
1283:"Dogtag Certificate System"
946:Aas, Josh (July 23, 2024).
744:A., Jesin (June 12, 2014).
675:Certificate revocation list
668:
532:support is built into many
284:certificate revocation list
125:Uniform Resource Identifier
10:
3267:
2906:Internet Protocol Security
2719:Protocols and technologies
1752:
1000:"OCSP Stapling in Firefox"
657:
618:
356:OCSP can be vulnerable to
69:11 February 2013
3226:Public key infrastructure
3157:
3115:
3099:
3078:
3071:
3045:
2942:
2934:Server-Gated Cryptography
2921:
2892:
2873:Public key infrastructure
2798:Public-key infrastructure
2797:
2718:
2655:
2579:Internet Explorer for Mac
2486:
2382:
2323:
2199:
2145:
2141:
2130:
2071:
2027:
1993:
1911:
1762:
1758:
1747:
1689:
1622:
1596:
1592:
1571:
653:
586:, CA and OCSP responder (
558:
547:due to the popularity of
472:) supports OCSP checking.
374:delegated path validation
229:public key infrastructure
150:
140:
117:
80:
65:
54:4 February 2002
50:
40:
35:
3246:Transport Layer Security
3086:Man-in-the-middle attack
3053:Certificate Transparency
1495:templates for discussion
695:Certificate Transparency
305:Basic PKI implementation
3231:Cryptographic protocols
3197:(in regards to TLS 1.0)
3150:(in regards to SSL 3.0)
2884:Self-signed certificate
2868:Public-key cryptography
2789:Perfect forward secrecy
2773:HTTP Public Key Pinning
479:support OCSP checking.
460:and thus starting with
315:public key certificates
266:Certificate authorities
258:) use OCSP to validate
208:used for obtaining the
27:Communications protocol
3251:Certificate revocation
3201:Kazakhstan MITM attack
2863:Public key certificate
2827:Certificate revocation
2738:Server Name Indication
1429:"OCSP_response_status"
1255:"Boulder – an ACME CA"
1192:"Rootstore newsletter"
442:
174:: OCSP Nonce Extension
3190:Lucky Thirteen attack
3091:Padding oracle attack
2811:Certificate authority
1004:Mozilla Security Blog
680:Certificate authority
658:Further information:
440:
2564:IBM Home Page Reader
1006:. Mozilla Foundation
752:. Digital Ocean, Inc
1171:on 10 February 2010
825:. 20 September 2017
750:Community Tutorials
423:de-perimeterisation
217:digital certificate
145:Digital certificate
32:
3241:Internet protocols
3236:Internet Standards
3107:Bar mitzvah attack
2822:Certificate policy
1409:. 25 February 2018
1377:Windows Dev Center
926:lists.cabforum.org
776:GlobalSign Support
443:
293:, the client-side
277:Comparison to CRLs
221:Internet standards
30:
3213:
3212:
3209:
3208:
2784:Opportunistic TLS
2678:
2677:
2651:
2650:
2647:
2646:
2334:Internet Explorer
2126:
2125:
2122:
2121:
1743:
1742:
1739:
1738:
898:978-3-030-72582-2
534:operating systems
450:Internet Explorer
407:man-in-the-middle
210:revocation status
191:
190:
45:Proposed Standard
16:(Redirected from
3258:
3076:
3075:
3063:HTTPS Everywhere
2879:Root certificate
2817:CA/Browser Forum
2705:
2698:
2691:
2682:
2681:
2143:
2142:
2132:
2131:
1858:Samsung Internet
1760:
1759:
1749:
1748:
1594:
1593:
1573:
1572:
1558:
1551:
1544:
1535:
1534:
1470:
1469:
1467:
1466:
1455:
1449:
1448:
1446:
1444:
1425:
1419:
1418:
1416:
1414:
1399:
1393:
1392:
1390:
1388:
1369:
1363:
1362:
1360:
1358:
1348:
1342:
1341:
1339:
1337:
1322:
1316:
1315:
1313:
1311:
1300:
1294:
1293:
1291:
1289:
1279:
1273:
1272:
1270:
1268:
1251:
1245:
1239:
1233:
1232:
1230:
1229:
1213:
1207:
1206:
1204:
1202:
1187:
1181:
1180:
1178:
1176:
1167:. Archived from
1156:
1150:
1149:
1147:
1145:
1130:
1124:
1123:
1121:
1119:
1114:. 1 October 2007
1104:
1098:
1097:
1095:
1093:
1078:
1072:
1071:
1069:
1067:
1053:
1047:
1046:
1044:
1042:
1031:
1025:
1022:
1016:
1015:
1013:
1011:
995:
989:
988:
986:
984:
972:
963:
962:
960:
958:
943:
937:
936:
934:
932:
917:
911:
910:
882:
862:
856:
855:
853:
851:
841:
835:
834:
832:
830:
819:
813:
812:
810:
808:
802:wiki.mozilla.org
794:
788:
787:
785:
783:
768:
762:
761:
759:
757:
741:
730:
729:
727:
725:
714:
475:All versions of
452:is built on the
388:Privacy concerns
345:Protocol details
270:CA/Browser Forum
96:Ambarish Malpani
87:Stefan Santesson
76:
74:
61:
59:
33:
29:
21:
3266:
3265:
3261:
3260:
3259:
3257:
3256:
3255:
3216:
3215:
3214:
3205:
3153:
3111:
3095:
3072:Vulnerabilities
3067:
3041:
2944:Implementations
2938:
2917:
2888:
2793:
2714:
2709:
2679:
2674:
2643:
2569:IBM WebExplorer
2482:
2378:
2319:
2195:
2137:
2118:
2067:
2023:
1989:
1907:
1754:
1735:
1685:
1618:
1588:
1567:
1562:
1498:
1479:
1474:
1473:
1464:
1462:
1457:
1456:
1452:
1442:
1440:
1433:master manpages
1427:
1426:
1422:
1412:
1410:
1401:
1400:
1396:
1386:
1384:
1371:
1370:
1366:
1356:
1354:
1350:
1349:
1345:
1335:
1333:
1332:. 13 March 2018
1324:
1323:
1319:
1309:
1307:
1302:
1301:
1297:
1287:
1285:
1281:
1280:
1276:
1266:
1264:
1263:. 16 March 2018
1253:
1252:
1248:
1240:
1236:
1227:
1225:
1214:
1210:
1200:
1198:
1188:
1184:
1174:
1172:
1157:
1153:
1143:
1141:
1131:
1127:
1117:
1115:
1106:
1105:
1101:
1091:
1089:
1080:
1079:
1075:
1065:
1063:
1055:
1054:
1050:
1040:
1038:
1037:. 19 April 2014
1033:
1032:
1028:
1023:
1019:
1009:
1007:
996:
992:
982:
980:
975:Gibson, Steve.
973:
966:
956:
954:
944:
940:
930:
928:
918:
914:
899:
863:
859:
849:
847:
843:
842:
838:
828:
826:
821:
820:
816:
806:
804:
796:
795:
791:
781:
779:
772:"OCSP Stapling"
770:
769:
765:
755:
753:
742:
733:
723:
721:
715:
708:
703:
671:
666:
656:
626:
621:
611:
566:
561:
510:
508:Implementations
477:Mozilla Firefox
435:
433:Browser support
402:
390:
347:
307:
279:
245:OCSP responders
187:
136:
113:
110:Himanshu Sharma
72:
70:
66:First published
57:
55:
28:
23:
22:
15:
12:
11:
5:
3264:
3254:
3253:
3248:
3243:
3238:
3233:
3228:
3211:
3210:
3207:
3206:
3204:
3203:
3198:
3192:
3187:
3182:
3177:
3172:
3167:
3161:
3159:
3158:Implementation
3155:
3154:
3152:
3151:
3145:
3140:
3135:
3130:
3125:
3119:
3117:
3113:
3112:
3110:
3109:
3103:
3101:
3097:
3096:
3094:
3093:
3088:
3082:
3080:
3073:
3069:
3068:
3066:
3065:
3060:
3055:
3049:
3047:
3043:
3042:
3040:
3039:
3034:
3029:
3024:
3019:
3014:
3009:
3004:
2999:
2994:
2989:
2984:
2979:
2974:
2969:
2964:
2959:
2954:
2948:
2946:
2940:
2939:
2937:
2936:
2931:
2925:
2923:
2919:
2918:
2916:
2915:
2909:
2903:
2896:
2894:
2890:
2889:
2887:
2886:
2881:
2876:
2870:
2865:
2860:
2854:
2848:
2847:
2846:
2841:
2835:
2824:
2819:
2814:
2808:
2801:
2799:
2795:
2794:
2792:
2791:
2786:
2781:
2776:
2770:
2764:
2759:
2753:
2747:
2741:
2735:
2729:
2722:
2720:
2716:
2715:
2708:
2707:
2700:
2693:
2685:
2676:
2675:
2673:
2672:
2667:
2662:
2656:
2653:
2652:
2649:
2648:
2645:
2644:
2642:
2641:
2636:
2631:
2626:
2621:
2616:
2611:
2606:
2601:
2596:
2591:
2586:
2581:
2576:
2571:
2566:
2561:
2556:
2551:
2546:
2541:
2536:
2531:
2526:
2521:
2516:
2511:
2506:
2501:
2496:
2490:
2488:
2484:
2483:
2481:
2480:
2475:
2470:
2465:
2460:
2455:
2450:
2445:
2440:
2435:
2430:
2425:
2420:
2415:
2410:
2405:
2400:
2395:
2389:
2387:
2380:
2379:
2377:
2376:
2371:
2366:
2361:
2356:
2351:
2346:
2341:
2336:
2330:
2328:
2321:
2320:
2318:
2317:
2312:
2307:
2302:
2297:
2292:
2287:
2282:
2277:
2272:
2267:
2262:
2257:
2252:
2247:
2242:
2237:
2232:
2227:
2222:
2217:
2212:
2206:
2204:
2197:
2196:
2194:
2193:
2188:
2183:
2178:
2173:
2168:
2163:
2158:
2152:
2150:
2139:
2138:
2128:
2127:
2124:
2123:
2120:
2119:
2117:
2116:
2111:
2106:
2101:
2096:
2091:
2086:
2081:
2075:
2073:
2069:
2068:
2066:
2065:
2060:
2055:
2050:
2045:
2040:
2034:
2032:
2025:
2024:
2022:
2021:
2016:
2011:
2006:
2000:
1998:
1991:
1990:
1988:
1987:
1986:
1985:
1980:
1975:
1970:
1965:
1954:
1949:
1944:
1939:
1934:
1929:
1924:
1918:
1916:
1909:
1908:
1906:
1905:
1900:
1895:
1890:
1885:
1880:
1875:
1870:
1865:
1860:
1855:
1850:
1845:
1840:
1830:
1828:Microsoft Edge
1825:
1820:
1815:
1810:
1805:
1800:
1795:
1790:
1785:
1780:
1775:
1769:
1767:
1756:
1755:
1745:
1744:
1741:
1740:
1737:
1736:
1734:
1733:
1728:
1723:
1718:
1717:
1716:
1715:
1714:
1704:
1693:
1691:
1687:
1686:
1684:
1683:
1682:
1681:
1676:
1671:
1666:
1661:
1651:
1646:
1641:
1640:
1639:
1628:
1626:
1620:
1619:
1617:
1616:
1611:
1606:
1600:
1598:
1590:
1589:
1587:
1586:
1583:
1580:
1569:
1568:
1561:
1560:
1553:
1546:
1538:
1532:
1531:
1526:
1521:
1516:
1511:
1506:
1478:
1477:External links
1475:
1472:
1471:
1450:
1420:
1403:"Package ocsp"
1394:
1364:
1343:
1317:
1295:
1274:
1246:
1234:
1208:
1196:Opera Software
1182:
1165:Opera Software
1151:
1125:
1099:
1073:
1048:
1026:
1017:
990:
964:
938:
912:
897:
857:
836:
814:
789:
763:
731:
705:
704:
702:
699:
698:
697:
692:
687:
682:
677:
670:
667:
655:
652:
651:
650:
640:
630:
625:
622:
620:
617:
616:
615:
610:
607:
606:
605:
598:
591:
581:
578:
565:
562:
560:
557:
553:World Wide Web
509:
506:
498:
497:
490:
484:
473:
434:
431:
401:
398:
389:
386:
358:replay attacks
346:
343:
342:
341:
338:
335:
328:
324:
321:
318:
306:
303:
302:
301:
298:
287:
278:
275:
189:
188:
186:
185:
175:
165:
154:
152:
148:
147:
142:
138:
137:
135:
134:
128:
121:
119:
118:Base standards
115:
114:
112:
111:
108:
105:
103:Carlisle Adams
100:
99:Slava Galperin
97:
94:
91:
88:
84:
82:
78:
77:
67:
63:
62:
52:
48:
47:
42:
38:
37:
26:
9:
6:
4:
3:
2:
3263:
3252:
3249:
3247:
3244:
3242:
3239:
3237:
3234:
3232:
3229:
3227:
3224:
3223:
3221:
3202:
3199:
3196:
3193:
3191:
3188:
3186:
3183:
3181:
3178:
3176:
3173:
3171:
3168:
3166:
3163:
3162:
3160:
3156:
3149:
3146:
3144:
3141:
3139:
3136:
3134:
3131:
3129:
3126:
3124:
3121:
3120:
3118:
3114:
3108:
3105:
3104:
3102:
3098:
3092:
3089:
3087:
3084:
3083:
3081:
3077:
3074:
3070:
3064:
3061:
3059:
3056:
3054:
3051:
3050:
3048:
3044:
3038:
3035:
3033:
3030:
3028:
3025:
3023:
3020:
3018:
3015:
3013:
3010:
3008:
3005:
3003:
3000:
2998:
2995:
2993:
2990:
2988:
2985:
2983:
2980:
2978:
2975:
2973:
2970:
2968:
2965:
2963:
2960:
2958:
2955:
2953:
2952:Bouncy Castle
2950:
2949:
2947:
2945:
2941:
2935:
2932:
2930:
2927:
2926:
2924:
2920:
2913:
2910:
2907:
2904:
2901:
2898:
2897:
2895:
2891:
2885:
2882:
2880:
2877:
2874:
2871:
2869:
2866:
2864:
2861:
2858:
2855:
2852:
2849:
2845:
2844:OCSP stapling
2842:
2839:
2836:
2833:
2830:
2829:
2828:
2825:
2823:
2820:
2818:
2815:
2812:
2809:
2806:
2803:
2802:
2800:
2796:
2790:
2787:
2785:
2782:
2780:
2779:OCSP stapling
2777:
2774:
2771:
2768:
2765:
2763:
2760:
2757:
2754:
2751:
2748:
2745:
2742:
2739:
2736:
2733:
2730:
2727:
2724:
2723:
2721:
2717:
2713:
2706:
2701:
2699:
2694:
2692:
2687:
2686:
2683:
2671:
2668:
2666:
2663:
2661:
2658:
2657:
2654:
2640:
2637:
2635:
2632:
2630:
2627:
2625:
2622:
2620:
2617:
2615:
2612:
2610:
2607:
2605:
2602:
2600:
2597:
2595:
2592:
2590:
2587:
2585:
2582:
2580:
2577:
2575:
2572:
2570:
2567:
2565:
2562:
2560:
2557:
2555:
2552:
2550:
2547:
2545:
2542:
2540:
2537:
2535:
2532:
2530:
2527:
2525:
2522:
2520:
2517:
2515:
2512:
2510:
2507:
2505:
2502:
2500:
2497:
2495:
2492:
2491:
2489:
2485:
2479:
2476:
2474:
2471:
2469:
2466:
2464:
2461:
2459:
2456:
2454:
2451:
2449:
2446:
2444:
2441:
2439:
2436:
2434:
2431:
2429:
2428:Nokia Symbian
2426:
2424:
2421:
2419:
2416:
2414:
2411:
2409:
2406:
2404:
2401:
2399:
2396:
2394:
2391:
2390:
2388:
2385:
2381:
2375:
2372:
2370:
2367:
2365:
2362:
2360:
2357:
2355:
2352:
2350:
2347:
2345:
2342:
2340:
2337:
2335:
2332:
2331:
2329:
2326:
2322:
2316:
2313:
2311:
2308:
2306:
2303:
2301:
2298:
2296:
2293:
2291:
2288:
2286:
2283:
2281:
2280:PirateBrowser
2278:
2276:
2275:Mozilla suite
2273:
2271:
2268:
2266:
2263:
2261:
2258:
2256:
2253:
2251:
2248:
2246:
2243:
2241:
2238:
2236:
2233:
2231:
2228:
2226:
2223:
2221:
2218:
2216:
2213:
2211:
2208:
2207:
2205:
2202:
2198:
2192:
2189:
2187:
2184:
2182:
2179:
2177:
2174:
2172:
2169:
2167:
2164:
2162:
2159:
2157:
2154:
2153:
2151:
2148:
2144:
2140:
2133:
2129:
2115:
2112:
2110:
2107:
2105:
2102:
2100:
2097:
2095:
2092:
2090:
2087:
2085:
2082:
2080:
2077:
2076:
2074:
2070:
2064:
2061:
2059:
2056:
2054:
2051:
2049:
2046:
2044:
2041:
2039:
2036:
2035:
2033:
2031:
2026:
2020:
2017:
2015:
2012:
2010:
2007:
2005:
2002:
2001:
1999:
1996:
1992:
1984:
1981:
1979:
1976:
1974:
1971:
1969:
1966:
1964:
1961:
1960:
1959:
1955:
1953:
1950:
1948:
1945:
1943:
1940:
1938:
1935:
1933:
1930:
1928:
1925:
1923:
1920:
1919:
1917:
1914:
1910:
1904:
1901:
1899:
1896:
1894:
1891:
1889:
1886:
1884:
1881:
1879:
1876:
1874:
1871:
1869:
1866:
1864:
1861:
1859:
1856:
1854:
1851:
1849:
1846:
1844:
1841:
1838:
1834:
1831:
1829:
1826:
1824:
1821:
1819:
1816:
1814:
1811:
1809:
1806:
1804:
1801:
1799:
1796:
1794:
1791:
1789:
1786:
1784:
1781:
1779:
1776:
1774:
1773:Google Chrome
1771:
1770:
1768:
1765:
1761:
1757:
1750:
1746:
1732:
1729:
1727:
1724:
1722:
1719:
1713:
1710:
1709:
1708:
1705:
1703:
1700:
1699:
1698:
1695:
1694:
1692:
1688:
1680:
1677:
1675:
1672:
1670:
1667:
1665:
1662:
1660:
1657:
1656:
1655:
1652:
1650:
1647:
1645:
1642:
1638:
1635:
1634:
1633:
1630:
1629:
1627:
1625:
1624:Web standards
1621:
1615:
1612:
1610:
1607:
1605:
1602:
1601:
1599:
1595:
1591:
1584:
1581:
1578:
1577:
1574:
1570:
1566:
1559:
1554:
1552:
1547:
1545:
1540:
1539:
1536:
1530:
1527:
1525:
1522:
1520:
1517:
1515:
1512:
1510:
1507:
1505:
1501:
1496:
1492:
1491:
1486:
1481:
1480:
1460:
1454:
1438:
1434:
1430:
1424:
1408:
1404:
1398:
1382:
1378:
1374:
1368:
1353:
1352:"OpenCA OCSP"
1347:
1331:
1327:
1321:
1305:
1299:
1284:
1278:
1262:
1261:
1256:
1250:
1243:
1238:
1223:
1219:
1212:
1197:
1193:
1186:
1170:
1166:
1162:
1155:
1140:
1136:
1129:
1113:
1109:
1103:
1088:. 3 July 2013
1087:
1083:
1077:
1062:
1058:
1052:
1036:
1030:
1021:
1005:
1001:
994:
978:
971:
969:
953:
952:Let's Encrypt
949:
942:
927:
923:
916:
908:
904:
900:
894:
890:
886:
881:
876:
872:
868:
861:
846:
840:
824:
818:
803:
799:
793:
777:
773:
767:
751:
747:
740:
738:
736:
720:
713:
711:
706:
696:
693:
691:
690:OCSP stapling
688:
686:
683:
681:
678:
676:
673:
672:
665:
661:
648:
644:
641:
638:
634:
631:
628:
627:
613:
612:
603:
599:
596:
592:
589:
585:
582:
579:
576:
572:
571:Let's Encrypt
568:
567:
556:
554:
550:
546:
543:
539:
535:
531:
527:
523:
519:
515:
505:
503:
502:Google Chrome
495:
491:
488:
485:
482:
478:
474:
471:
467:
466:Windows Vista
463:
459:
455:
451:
448:
447:
446:
439:
430:
428:
427:OCSP stapling
424:
418:
416:
411:
408:
397:
395:
394:OCSP stapling
385:
383:
377:
375:
370:
366:
363:
359:
354:
351:
339:
336:
333:
329:
325:
322:
319:
316:
312:
311:Alice and Bob
309:
308:
299:
296:
292:
288:
285:
281:
280:
274:
271:
267:
263:
261:
257:
253:
248:
246:
243:being termed
242:
238:
234:
230:
226:
222:
218:
215:
211:
207:
204:
200:
196:
183:
179:
176:
173:
169:
166:
163:
159:
156:
155:
153:
149:
146:
143:
139:
132:
129:
126:
123:
122:
120:
116:
109:
106:
104:
101:
98:
95:
92:
90:Michael Myers
89:
86:
85:
83:
79:
68:
64:
53:
49:
46:
43:
39:
34:
19:
2912:Secure Shell
2837:
2639:WorldWideWeb
2354:MediaBrowser
2349:GreenBrowser
2230:Firefox Lite
2136:Discontinued
1720:
1614:Privacy mode
1565:Web browsers
1488:
1463:. Retrieved
1461:. 2014-01-27
1453:
1441:. Retrieved
1432:
1423:
1411:. Retrieved
1406:
1397:
1385:. Retrieved
1376:
1367:
1355:. Retrieved
1346:
1334:. Retrieved
1329:
1320:
1308:. Retrieved
1298:
1286:. Retrieved
1277:
1265:. Retrieved
1258:
1249:
1237:
1226:. Retrieved
1211:
1199:. Retrieved
1185:
1173:. Retrieved
1169:the original
1154:
1142:. Retrieved
1128:
1116:. Retrieved
1102:
1090:. Retrieved
1076:
1064:. Retrieved
1051:
1039:. Retrieved
1029:
1020:
1008:. Retrieved
1003:
993:
981:. Retrieved
955:. Retrieved
951:
941:
929:. Retrieved
925:
915:
869:. PAM 2021.
866:
860:
848:. Retrieved
839:
827:. Retrieved
817:
805:. Retrieved
801:
792:
780:. Retrieved
775:
766:
754:. Retrieved
749:
724:December 23,
722:. Retrieved
540:, and other
538:web browsers
511:
499:
492:Versions of
444:
419:
415:stapled OCSP
412:
403:
391:
378:
371:
367:
355:
352:
348:
264:
252:web browsers
249:
244:
198:
194:
192:
51:Year started
3058:Convergence
2712:TLS and SSL
2665:Comparisons
2624:ThunderHawk
2604:NetPositive
2544:Edge Legacy
2473:WebPositive
2438:Opera Coast
2300:Swiftweasel
2063:qutebrowser
1952:Tor Browser
1947:SlimBrowser
1712:third-party
1664:Web storage
1659:WebAssembly
1483:‹ The
1407:cfssl GoDoc
624:Open source
609:Proprietary
564:Open source
518:proprietary
514:open source
425:trend. The
107:Mohit Sahni
93:Rich Ankney
3220:Categories
3185:Heartbleed
2310:Timberwolf
2305:TenFourFox
2250:Kazehakase
2240:Ghostzilla
2109:Opera Mini
2043:DuckDuckGo
1932:GNU IceCat
1702:Encryption
1654:JavaScript
1609:Extensions
1465:2019-01-25
1228:2015-01-30
880:2102.04288
701:References
629:cfssl (Go)
400:Criticisms
73:2013-02-11
58:2002-02-04
3180:goto fail
2992:MatrixSSL
2957:BoringSSL
2728:(TLS/SSL)
2589:Line Mode
2413:Google TV
2369:SpaceTime
2364:NetCaptor
2359:NeoPlanet
2245:IceDragon
2220:Classilla
2053:Lunascape
2048:Konqueror
2009:GNOME Web
1978:SeaMonkey
1973:Pale Moon
1937:LibreWolf
1888:ungoogled
1878:Supermium
1731:WebSocket
1690:Protocols
1669:IndexedDB
1604:Bookmarks
1585:protocols
1582:standards
1381:Microsoft
1357:3 January
1201:8 January
1175:8 January
1086:Microsoft
1061:Microsoft
957:August 4,
931:August 4,
907:0302-9743
845:"CRLSets"
526:libraries
500:However,
481:Firefox 3
462:version 7
454:CryptoAPI
295:libraries
3116:Protocol
3046:Notaries
3022:SChannel
2997:mbed TLS
2987:LibreSSL
2972:cryptlib
2902:(DNSSEC)
2893:See also
2660:Category
2614:Skweezer
2609:Netscape
2534:Deepfish
2478:xombrero
2295:Swiftfox
2225:Conkeror
2181:SalamWeb
2176:Rockmelt
2089:Ladybird
2058:NetFront
1983:Waterfox
1968:K-Meleon
1963:Basilisk
1868:Sleipnir
1778:Chromium
1597:Features
1579:Features
1485:template
1443:17 March
1413:17 March
1387:17 March
1336:17 March
1310:17 March
1267:17 March
1222:Archived
1144:26 March
1041:24 April
1010:March 2,
983:March 2,
782:March 2,
756:March 2,
669:See also
551:and the
545:software
512:Several
206:protocol
203:Internet
201:) is an
133:(S/MIME)
3037:wolfSSL
3032:stunnel
3017:s2n-tls
3007:OpenSSL
2922:History
2908:(IPsec)
2619:Skyfire
2574:IBrowse
2559:HotJava
2554:Gazelle
2504:Arachne
2433:OmniWeb
2423:Mercury
2403:Dolphin
2344:Deepnet
2186:Sputnik
2171:Redcore
2104:NetSurf
1922:Firefox
1893:Vivaldi
1848:Puffin
1823:Maxthon
1798:Coc Coc
1707:Cookies
1487:below (
1437:OpenSSL
1326:"XiPKI"
1118:18 July
1112:Mozilla
850:29 June
829:29 June
807:29 June
643:wolfSSL
633:OpenSSL
619:Library
542:network
522:servers
458:Windows
256:Firefox
254:(e.g.,
241:servers
151:Website
81:Authors
71: (
56: (
3195:POODLE
3148:POODLE
3143:Logjam
3128:BREACH
3100:Cipher
3079:Theory
3027:SSLeay
3012:Rustls
2977:GnuTLS
2840:(OCSP)
2807:(ACME)
2775:(HPKP)
2769:(HSTS)
2752:(DANE)
2746:(ALPN)
2734:(DTLS)
2634:WinWAP
2629:Vision
2599:MSN TV
2594:Mosaic
2584:KidZui
2549:ELinks
2524:Charon
2514:Blazer
2453:Shiira
2443:Origyn
2386:-based
2384:WebKit
2327:-based
2325:MSHTML
2290:Strata
2270:Minimo
2265:MicroB
2235:Galeon
2215:Camino
2210:Beonex
2203:-based
2161:Citrio
2156:Beaker
2149:-based
2030:engine
2028:Multi-
2004:Safari
1997:-based
1995:WebKit
1956:Gecko
1942:Midori
1927:Floorp
1915:-based
1903:Yandex
1873:SRWare
1837:Mobile
1818:Falkon
1808:Dooble
1803:Comodo
1766:-based
1753:Active
1726:WebRTC
1679:WebGPU
1504:Curlie
1490:Curlie
1439:. 2017
1383:. 2018
1330:GitHub
1288:12 Aug
1260:GitHub
1139:Sophos
905:
895:
662:, and
654:Client
559:Server
530:client
487:Safari
332:signed
212:of an
180:
170:
164:: OCSP
160:
141:Domain
41:Status
3175:FREAK
3138:DROWN
3133:CRIME
3123:BEAST
2967:BSAFE
2962:Botan
2914:(SSH)
2875:(PKI)
2834:(CRL)
2762:HTTPS
2758:(CAA)
2740:(SNI)
2539:Dillo
2509:Arena
2499:Amaya
2494:abaco
2487:Other
2458:Steel
2448:QtWeb
2408:Fluid
2393:Arora
2260:Lotus
2201:Gecko
2191:Torch
2166:Flock
2147:Blink
2094:Links
2072:Other
2019:Orion
1958:forks
1913:Gecko
1898:Whale
1843:Otter
1833:Opera
1793:Brave
1788:Avast
1764:Blink
1674:WebGL
1092:9 May
1066:9 May
875:arXiv
584:EJBCA
549:HTTPS
494:Opera
468:(not
362:nonce
313:have
291:parse
260:HTTPS
250:Some
233:ASN.1
214:X.509
127:(URI)
2982:JSSE
2859:(EV)
2853:(DV)
2813:(CA)
2670:List
2519:Cake
2468:Uzbl
2463:surf
2418:Iris
2398:BOLT
2285:Pogo
2255:Kylo
2099:Lynx
2084:Flow
2014:iCab
1863:Silk
1813:Epic
1721:OCSP
1697:HTTP
1632:HTML
1445:2018
1415:2018
1389:2018
1359:2024
1338:2018
1312:2018
1290:2019
1269:2018
1203:2010
1177:2010
1146:2011
1120:2010
1094:2016
1068:2016
1043:2014
1012:2015
985:2015
959:2024
933:2024
903:ISSN
893:ISBN
871:LNCS
852:2022
831:2022
809:2022
784:2015
758:2015
726:2021
595:Java
588:Java
524:and
516:and
237:HTTP
199:OCSP
193:The
182:9654
172:8954
162:6960
31:OCSP
18:OCSP
3002:NSS
2374:ZAC
2339:AOL
2114:w3m
2079:eww
2038:360
1783:Arc
1649:DOM
1644:CSS
1502:at
885:doi
464:on
456:of
382:OID
178:RFC
168:RFC
158:RFC
3222::
2529:CM
2315:xB
1883:UC
1853:QQ
1637:v5
1435:.
1431:.
1405:.
1379:.
1375:.
1328:.
1257:.
1220:.
1194:.
1163:.
1137:.
1110:.
1084:.
1059:.
1002:.
967:^
950:.
924:.
901:.
891:.
883:.
800:.
774:.
748:.
734:^
709:^
575:Go
555:.
536:,
470:XP
247:.
2704:e
2697:t
2690:v
1839:)
1835:(
1557:e
1550:t
1543:v
1468:.
1447:.
1417:.
1391:.
1361:.
1340:.
1314:.
1292:.
1271:.
1231:.
1205:.
1179:.
1148:.
1122:.
1096:.
1070:.
1045:.
1014:.
987:.
961:.
935:.
909:.
887::
877::
854:.
833:.
811:.
786:.
760:.
728:.
649:)
647:C
645:(
639:)
637:C
635:(
604:)
602:C
597:)
590:)
577:)
573:(
197:(
75:)
60:)
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.