Logo

PKI Consortium blog

Posts by author Jeremy Rowley

    OCSP Stapling: Improved Performance and Security, a Win-Win
    February 14, 2013 by Jeremy Rowley CASC OCSP Revocation SSL/TLS

    The launch of the CASC has given its members a unique platform through which we can educate users about online security and the best practices in utilizing SSL. That’s why we’ve decided to pair the group’s launch with a focused effort on OCSP stapling.

    Why OCSP stapling? For one, stapling is already supported by IIS and the newest versions of Apache and nginx. Although server software does not enable OCSP by default, servers can be re-configured with a little education. OCSP stapling is a significant improvement on traditional CRLs and OCSP revocation mechanisms because it eliminates the communication between the browser and CA when establishing the SSL connection. This leads to an increase in browsing performance and eliminates an attacker’s ability to successfully block a CA’s ability to provide revocation information. Stapled OCSP responses are cached by the web administrator and sent back to the relying party during the communication, effectively reducing bandwidth requirements and speeding up the SSL connection.

    Participate in our community discussions and/or join the consortium