PKI Consortium blog

An Introduction to OCSP Multi-Stapling
May 7, 2013 by CA Security Council CA/Browser Forum CRL IETF OCSP Revocation SSL/TLS Vulnerability

OCSP Stapling

OCSP is a protocol used to check the validity of certificates to make sure they have not been revoked. OCSP is an alternative to Certificate Revocation Lists (CRLs). Since OCSP responses can be as small as a few hundred bytes, OCSP is particularly useful when the issuing CA has relatively big CRLs, as well as when the client has limited memory and processing power.

IETF 86 – Web PKI Working Group
March 21, 2013 by Bruce Morton (Entrust) CRL Google IETF OCSP PKI Policy Revocation SSL/TLS Web PKI

At the IETF 86 meeting in Orlando last week, there was a working group meeting discussing the operations of the Web PKI. At the previous IETF 85 meeting a birds-of-a-feather was held to discuss the purpose of having such a group. The result of the meeting was an established group with the charter that states purposes such as:

• Working group will work to improve the consistency of Web security behavior
• Address problems as seen by the end-users, certificate holders and CAs
• Describe how the Web PKI actually works
• Prepare documented deliverables as discussed below

The meeting discussed the charter and the four following deliverables. More information is in the presentation slides; look under the Operations and Management Area, then under WPKOPS.

Certificate Revocation and OCSP Stapling
February 14, 2013 by CA Security Council Attack CASC CRL IETF OCSP Revocation SSL/TLS

Revocation

As a body of global CAs, the CA Security Council is committed to educating server administrators, end-users and other interested parties about SSL enhancements and best practices that can better protect everyone. An important initiative that can make a practical difference right now is addressing easily implemented improvements to certificate status services that handle revocation of invalid or expired certificates, specifically the implementation of OCSP stapling.