427:
409:
The OCSP protocol assumes the requester has network access to connect to an appropriate OCSP responder. Some requesters may not be able to connect because their local network prohibits direct
Internet access (a common practice for internal nodes in a data center). Forcing internal servers to connect
368:
The key that signs a response need not be the same key that signed the certificate. The certificate's issuer may delegate another authority to be the OCSP responder. In this case, the responder's certificate (the one that is used to sign the response) must be issued by the issuer of the certificate
315:
Carol's OCSP responder reads the certificate serial number from Bob's request. The OCSP responder uses the certificate serial number to look up the revocation status of Alice's certificate. The OCSP responder looks in a CA database that Carol maintains. In this scenario, Carol's CA database is the
398:
position on the network to abuse that private key and impersonate a server. An attacker in such a position is also typically in a position to interfere with the client's OCSP queries. Because most clients will silently ignore OCSP if the query times out, OCSP is not a reliable means of mitigating
353:
to be included in the request that may be included in the corresponding response. Because of high load, most OCSP responders do not use the nonce extension to create a different response for each request, instead using presigned responses with a validity period of multiple days. Thus, the replay
357:
OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certificate, with responders validating each other's responses against the root CA using their own OCSP requests.
338:
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.
261:
to provide OCSP service, but this requirement was removed in August 2023, instead making CRLs required again. Let's
Encrypt has announced their intention to end OCSP service as soon as possible, citing privacy concerns and operational simplicity.
393:
OCSP-based revocation is not an effective technique to mitigate against the compromise of an HTTPS server's private key. An attacker who has compromised a server's private key typically needs to be in a
381:
OCSP checking creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software vendor) to confirm certificate validity.
289:
OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.
493:
is an outlier. Google disabled OCSP checks by default in 2012, citing latency and privacy issues and instead uses their own update mechanism to send revoked certificates to the browser.
1045:
406:
response, mitigating this problem. OCSP also remains a valid defense against situations where the attacker is not a "man-in-the-middle" (code-signing or certificates issued in error).
349:, where a signed, 'good' response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP allows a
326:
Bob cryptographically verifies Carol's signed response. Bob has stored Carol's public key some time before this transaction. Bob uses Carol's public key to verify Carol's response.
1500:
312:
Bob, concerned that Alice's private key may have been compromised, creates an 'OCSP request' that contains Alice's certificate serial number and sends it to Carol.
478:
on macOS supports OCSP checking. It is enabled by default as of Mac OS X 10.7 (Lion). Prior to that, it has to be manually activated in
Keychain preferences.
418:
protocol is an alternative that allows servers to cache OCSP responses, which removes the need for the requestor to directly contact the OCSP responder.
369:
in question, and must include a certain extension that marks it as an OCSP signing authority (more precisely, an extended key usage extension with the
1123:
2926:
2802:
854:
Korzhitskii, Nikita; Carlsson, Niklas (2021). "Revocation
Statuses on the Internet". In Hohlfeld, Oliver; Lutu, Andra; Levin, Dave (eds.).
251:
certificates, while others have disabled it. Most OCSP revocation statuses on the
Internet disappear soon after certificate expiration.
2747:
734:
2753:
811:
2897:
2741:
1527:
1471:
885:
648:
3198:
3019:
342:
The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.
3223:
373:{iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) keyPurpose(3) ocspSigning(9)})
3243:
2941:
2729:
2700:
859:
1149:
652:
3228:
3162:
1361:
911:"[Servercert-wg] IPR Review period for SC63: Make OCSP optional, require CRLs, and incentivize automation"
706:
Santesson, Stefan; Myers, Michael; Ankney, Rich; Malpani, Ambarish; Galperin, Slava; Adams, Carlisle (June 2013).
3248:
2854:
910:
760:
3167:
2764:
2410:
2366:
1210:
2979:
2949:
2848:
2531:
1230:
3238:
3233:
2959:
2829:
2183:
2016:
1955:
988:
663:
583:
576:
272:
213:
113:
1491:
RFC 5019, The
Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
426:
3140:
2903:
2662:
2040:
1520:
33:
1070:
2999:
2931:
2870:
2576:
2425:
2272:
1180:
563:
362:
217:
3120:
3083:
3050:
2723:
2709:
2307:
1417:
683:
635:
625:
590:
786:
2881:
2865:
2770:
402:
The MustStaple TLS extension in a certificate can require that the certificate be verified by a
2860:
2824:
2735:
2606:
2144:
2086:
1960:
1866:
1823:
1735:
303:
194:
936:
3187:
3088:
2808:
2693:
2657:
2626:
2551:
2541:
2501:
1838:
1620:
1513:
1023:
668:
254:
1496:
RFC 6960, X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol – OCSP
1481:
RFC 2560, X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol – OCSP
2667:
2591:
2561:
2521:
2511:
2212:
2153:
2001:
1939:
1858:
1763:
1745:
1640:
833:
506:
475:
1447:
8:
2506:
2491:
2455:
2405:
2390:
2207:
2188:
2163:
2091:
1871:
1793:
1683:
1206:
502:
482:
450:
442:
411:
350:
283:
205:
133:
309:
Alice wishes to perform a transaction with Bob and sends him her public key certificate.
3104:
2819:
2496:
2460:
2440:
2395:
2322:
2257:
2252:
2096:
2081:
2035:
1896:
1778:
1575:
863:
518:
514:
510:
229:
1096:
965:
3055:
2781:
2616:
2586:
2331:
2076:
1758:
1580:
1391:
891:
881:
522:
469:
446:
438:
395:
370:
320:
209:
198:
707:
319:
Carol's OCSP responder confirms that Alice's certificate is still OK, and returns a
3060:
2876:
2814:
2686:
2341:
2242:
2198:
1910:
1813:
1585:
873:
559:
530:
365:(DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.
258:
166:
156:
146:
316:
only trusted location where a compromise to Alice's certificate would be recorded.
2786:
2566:
2420:
2400:
1768:
877:
465:
216:(CRL), specifically addressing certain problems associated with using CRLs in a
170:
160:
150:
2027:
1848:
1803:
1788:
1184:
1153:
1071:"What's New in Certificate Revocation in Windows Vista and Windows Server 2008"
541:
91:
3217:
2841:
2776:
2277:
1886:
1773:
1753:
1595:
895:
678:
490:
454:
415:
403:
382:
346:
299:
966:"Security Certificate Revocation Awareness: The case for "OCSP Must-Staple""
385:
is a way to verify validity without disclosing browsing behavior to the CA.
3135:
2909:
2636:
2516:
2415:
2351:
2346:
2336:
2287:
2282:
2227:
1797:
526:
1501:
Processor.com April, 2009 article about Online
Certificate Status Protocol
589:
OpenCA OCSP Responder
Standalone OCSP responder from the OpenCA Project (
2621:
2601:
2470:
2435:
2371:
2297:
2060:
1949:
1944:
1843:
1828:
1818:
1678:
1635:
1630:
1536:
1340:
1243:
1157:
240:
603:
Certificate Services CA and OCSP responder included with Windows Server
3182:
2526:
2312:
2302:
2247:
2237:
2106:
1929:
1833:
1808:
1625:
1486:
RFC 4806, Online Certificate Status Protocol (OCSP) Extensions to IKEv2
458:
728:
726:
724:
569:
DogTag, Open source certificate authority CA, CRL and OCSP responder.
3177:
2989:
2954:
2361:
2356:
2217:
2050:
2045:
2006:
1975:
1970:
1934:
1891:
1702:
1369:
1074:
1049:
2994:
2984:
2969:
2611:
2475:
2292:
2222:
2178:
2173:
2055:
1980:
1965:
1124:"Apple users left to defend themselves against certificate attacks"
868:
721:
653:
X.509 § Major protocols and standards using X.509 certificates
533:
191:
3034:
3029:
3014:
3004:
2571:
2556:
2430:
2168:
2101:
1919:
1783:
1425:
1314:
1100:
631:
621:
582:
XiPKI, CA and OCSP responder. With support of RFC 6960 and SHA3 (
279:
244:
1495:
1490:
1485:
1480:
228:. The "request/response" nature of these messages leads to OCSP
3192:
3145:
3125:
3024:
3009:
2974:
2631:
2596:
2581:
2546:
2450:
2381:
2267:
2262:
2232:
2158:
1992:
1924:
1881:
1876:
1697:
1650:
1505:
1475:
1248:
1127:
361:
An OCSP responder may be queried for revocation information by
286:
that handle it can be less complex than those that handle CRLs.
119:
2678:
3172:
3130:
2964:
2759:
2536:
2445:
1673:
1645:
1608:
980:
572:
537:
248:
221:
202:
1271:
434:
There is wide support for OCSP amongst most major browsers:
2465:
2011:
1668:
1603:
705:
673:
275:(CRL), it puts less burden on network and client resources.
225:
959:
957:
2111:
1615:
1292:
812:"Are revoked certificates detected in Safari and Chrome?"
649:
Transport Layer Security § Applications and adoption
271:
Since an OCSP response contains less data than a typical
410:
to the Internet in order to use OCSP contributes to the
1046:"Windows XP Certificate Status and Revocation Checking"
954:
753:
1548:
485:
from 8.0 to the current version support OCSP checking.
558:
Boulder, CA and OCSP responder developed and used by
509:
OCSP implementations exist, including fully featured
220:(PKI). Messages communicated via OCSP are encoded in
735:"How To Configure OCSP Stapling on Apache and Nginx"
853:
3215:
1472:Public Key Infrastructure: Operational Protocols
354:attack is a major threat to validation systems.
306:issued by Carol, the certificate authority (CA).
2724:Transport Layer Security / Secure Sockets Layer
1293:"EJBCA – Open Source PKI Certificate Authority"
1150:"Introducing Extended Validation Certificates"
2927:Export of cryptography from the United States
2694:
1521:
1204:
1148:Pettersen, Yngve Nysæter (November 9, 2006).
1097:"Mozilla Bug 110161 – Enable OCSP by Default"
986:
2803:Automated Certificate Management Environment
1013:RFC 6960, section 5, Security Considerations
674:Server-based Certificate Validation Protocol
208:. It is described in RFC 6960 and is on the
120:Secure/Multipurpose Internet Mail Extensions
1231:"Chrome does certificate revocation better"
708:"History for draft-ietf-pkix-rfc2560bis-20"
293:
212:track. It was created as an alternative to
2748:DNS-based Authentication of Named Entities
2701:
2687:
1528:
1514:
1121:
2754:DNS Certification Authority Authorization
1178:
1147:
963:
867:
732:
701:
699:
329:Bob completes the transaction with Alice.
1448:"OCSP in wolfSSL Embedded SSL – wolfSSL"
1179:Pettersen, Yngve Nysæter (3 July 2008).
908:
517:for building custom applications. OCSP
425:
278:Since an OCSP response has less data to
3216:
2898:Domain Name System Security Extensions
2742:Application-Layer Protocol Negotiation
1233:, April 21, 2014, Larry Seltzer, ZDNet
1207:"Revocation checking and Chrome's CRL"
1115:
1024:"No, Don't Enable Revocation Checking"
909:Barreira, Inigo (September 28, 2023).
696:
257:(CAs) were previously required by the
2682:
2132:
1723:
1547:
1509:
1122:Wisniewski, Chester (26 March 2011).
862:. Vol. 12671. pp. 175–191.
265:
767:. GMO GlobalSign Inc. August 1, 2014
323:, successful 'OCSP response' to Bob.
934:
787:"CA/Revocation Checking in Firefox"
376:
333:
173:: OCSP Nonce Extension Enhancements
13:
2836:Online Certificate Status Protocol
496:
421:
224:and are usually communicated over
184:Online Certificate Status Protocol
25:Online Certificate Status Protocol
14:
3260:
2730:Datagram Transport Layer Security
1465:
472:enables OCSP checking by default.
3163:Certificate authority compromise
2133:
1535:
1362:"Certificate Services (Windows)"
612:
3168:Random number generator attacks
2855:Extended Validation Certificate
2708:
1440:
1410:
1384:
1354:
1333:
1307:
1285:
1264:
1236:
1224:
1213:from the original on 2012-02-12
1198:
1172:
1141:
1089:
1063:
1038:
1016:
1007:
987:Keeler, David (July 29, 2013).
2765:HTTP Strict Transport Security
928:
902:
856:Passive and Active Measurement
847:
826:
804:
779:
597:
552:
430:OCSP information on Firefox 89
1:
968:. Gibson Research Corporation
689:
399:HTTPS server key compromise.
388:
2849:Domain-validated certificate
1205:Langley, Adam (5 Feb 2012).
937:"Intent to End OCSP Service"
878:10.1007/978-3-030-72582-2_11
214:certificate revocation lists
7:
2830:Certificate revocation list
1295:. PrimeKey. 2 February 2018
1272:"Dogtag Certificate System"
935:Aas, Josh (July 23, 2024).
733:A., Jesin (June 12, 2014).
664:Certificate revocation list
657:
521:support is built into many
273:certificate revocation list
114:Uniform Resource Identifier
10:
3265:
2904:Internet Protocol Security
2717:Protocols and technologies
1724:
989:"OCSP Stapling in Firefox"
646:
607:
345:OCSP can be vulnerable to
58:11 February 2013
3224:Public key infrastructure
3155:
3113:
3097:
3076:
3069:
3043:
2940:
2932:Server-Gated Cryptography
2919:
2890:
2871:Public key infrastructure
2796:Public-key infrastructure
2795:
2716:
2653:
2577:Internet Explorer for Mac
2484:
2380:
2321:
2197:
2143:
2139:
2128:
2069:
2025:
1991:
1909:
1857:
1744:
1734:
1730:
1719:
1661:
1594:
1568:
1564:
1543:
642:
575:, CA and OCSP responder (
547:
536:due to the popularity of
461:) supports OCSP checking.
363:delegated path validation
218:public key infrastructure
139:
129:
106:
69:
54:
43:4 February 2002
39:
29:
24:
3244:Transport Layer Security
3084:Man-in-the-middle attack
3051:Certificate Transparency
684:Certificate Transparency
294:Basic PKI implementation
3229:Cryptographic protocols
3195:(in regards to TLS 1.0)
3148:(in regards to SSL 3.0)
2882:Self-signed certificate
2866:Public-key cryptography
2787:Perfect forward secrecy
2771:HTTP Public Key Pinning
468:support OCSP checking.
449:and thus starting with
304:public key certificates
255:Certificate authorities
247:) use OCSP to validate
197:used for obtaining the
16:Communications protocol
3249:Certificate revocation
3199:Kazakhstan MITM attack
2861:Public key certificate
2825:Certificate revocation
2736:Server Name Indication
1418:"OCSP_response_status"
1244:"Boulder – an ACME CA"
1181:"Rootstore newsletter"
431:
163:: OCSP Nonce Extension
3188:Lucky Thirteen attack
3089:Padding oracle attack
2809:Certificate authority
993:Mozilla Security Blog
669:Certificate authority
647:Further information:
429:
2562:IBM Home Page Reader
995:. Mozilla Foundation
741:. Digital Ocean, Inc
1160:on 10 February 2010
814:. 20 September 2017
739:Community Tutorials
412:de-perimeterisation
206:digital certificate
134:Digital certificate
21:
3239:Internet protocols
3234:Internet Standards
3105:Bar mitzvah attack
2820:Certificate policy
1398:. 25 February 2018
1366:Windows Dev Center
915:lists.cabforum.org
765:GlobalSign Support
432:
282:, the client-side
266:Comparison to CRLs
210:Internet standards
19:
3211:
3210:
3207:
3206:
2782:Opportunistic TLS
2676:
2675:
2649:
2648:
2645:
2644:
2332:Internet Explorer
2124:
2123:
2120:
2119:
1905:
1904:
1715:
1714:
1711:
1710:
887:978-3-030-72582-2
523:operating systems
439:Internet Explorer
396:man-in-the-middle
199:revocation status
180:
179:
34:Proposed Standard
3256:
3074:
3073:
3061:HTTPS Everywhere
2877:Root certificate
2815:CA/Browser Forum
2703:
2696:
2689:
2680:
2679:
2141:
2140:
2130:
2129:
1742:
1741:
1732:
1731:
1721:
1720:
1566:
1565:
1545:
1544:
1530:
1523:
1516:
1507:
1506:
1459:
1458:
1456:
1455:
1444:
1438:
1437:
1435:
1433:
1414:
1408:
1407:
1405:
1403:
1388:
1382:
1381:
1379:
1377:
1358:
1352:
1351:
1349:
1347:
1337:
1331:
1330:
1328:
1326:
1311:
1305:
1304:
1302:
1300:
1289:
1283:
1282:
1280:
1278:
1268:
1262:
1261:
1259:
1257:
1240:
1234:
1228:
1222:
1221:
1219:
1218:
1202:
1196:
1195:
1193:
1191:
1176:
1170:
1169:
1167:
1165:
1156:. Archived from
1145:
1139:
1138:
1136:
1134:
1119:
1113:
1112:
1110:
1108:
1103:. 1 October 2007
1093:
1087:
1086:
1084:
1082:
1067:
1061:
1060:
1058:
1056:
1042:
1036:
1035:
1033:
1031:
1020:
1014:
1011:
1005:
1004:
1002:
1000:
984:
978:
977:
975:
973:
961:
952:
951:
949:
947:
932:
926:
925:
923:
921:
906:
900:
899:
871:
851:
845:
844:
842:
840:
830:
824:
823:
821:
819:
808:
802:
801:
799:
797:
791:wiki.mozilla.org
783:
777:
776:
774:
772:
757:
751:
750:
748:
746:
730:
719:
718:
716:
714:
703:
464:All versions of
441:is built on the
377:Privacy concerns
334:Protocol details
259:CA/Browser Forum
85:Ambarish Malpani
76:Stefan Santesson
65:
63:
50:
48:
22:
18:
3264:
3263:
3259:
3258:
3257:
3255:
3254:
3253:
3214:
3213:
3212:
3203:
3151:
3109:
3093:
3070:Vulnerabilities
3065:
3039:
2942:Implementations
2936:
2915:
2886:
2791:
2712:
2707:
2677:
2672:
2641:
2567:IBM WebExplorer
2480:
2376:
2317:
2193:
2135:
2116:
2065:
2021:
1987:
1901:
1853:
1726:
1707:
1657:
1590:
1560:
1539:
1534:
1468:
1463:
1462:
1453:
1451:
1446:
1445:
1441:
1431:
1429:
1422:master manpages
1416:
1415:
1411:
1401:
1399:
1390:
1389:
1385:
1375:
1373:
1360:
1359:
1355:
1345:
1343:
1339:
1338:
1334:
1324:
1322:
1321:. 13 March 2018
1313:
1312:
1308:
1298:
1296:
1291:
1290:
1286:
1276:
1274:
1270:
1269:
1265:
1255:
1253:
1252:. 16 March 2018
1242:
1241:
1237:
1229:
1225:
1216:
1214:
1203:
1199:
1189:
1187:
1177:
1173:
1163:
1161:
1146:
1142:
1132:
1130:
1120:
1116:
1106:
1104:
1095:
1094:
1090:
1080:
1078:
1069:
1068:
1064:
1054:
1052:
1044:
1043:
1039:
1029:
1027:
1026:. 19 April 2014
1022:
1021:
1017:
1012:
1008:
998:
996:
985:
981:
971:
969:
964:Gibson, Steve.
962:
955:
945:
943:
933:
929:
919:
917:
907:
903:
888:
852:
848:
838:
836:
832:
831:
827:
817:
815:
810:
809:
805:
795:
793:
785:
784:
780:
770:
768:
761:"OCSP Stapling"
759:
758:
754:
744:
742:
731:
722:
712:
710:
704:
697:
692:
660:
655:
645:
615:
610:
600:
555:
550:
499:
497:Implementations
466:Mozilla Firefox
424:
422:Browser support
391:
379:
336:
296:
268:
234:OCSP responders
176:
125:
102:
99:Himanshu Sharma
61:
59:
55:First published
46:
44:
17:
12:
11:
5:
3262:
3252:
3251:
3246:
3241:
3236:
3231:
3226:
3209:
3208:
3205:
3204:
3202:
3201:
3196:
3190:
3185:
3180:
3175:
3170:
3165:
3159:
3157:
3156:Implementation
3153:
3152:
3150:
3149:
3143:
3138:
3133:
3128:
3123:
3117:
3115:
3111:
3110:
3108:
3107:
3101:
3099:
3095:
3094:
3092:
3091:
3086:
3080:
3078:
3071:
3067:
3066:
3064:
3063:
3058:
3053:
3047:
3045:
3041:
3040:
3038:
3037:
3032:
3027:
3022:
3017:
3012:
3007:
3002:
2997:
2992:
2987:
2982:
2977:
2972:
2967:
2962:
2957:
2952:
2946:
2944:
2938:
2937:
2935:
2934:
2929:
2923:
2921:
2917:
2916:
2914:
2913:
2907:
2901:
2894:
2892:
2888:
2887:
2885:
2884:
2879:
2874:
2868:
2863:
2858:
2852:
2846:
2845:
2844:
2839:
2833:
2822:
2817:
2812:
2806:
2799:
2797:
2793:
2792:
2790:
2789:
2784:
2779:
2774:
2768:
2762:
2757:
2751:
2745:
2739:
2733:
2727:
2720:
2718:
2714:
2713:
2706:
2705:
2698:
2691:
2683:
2674:
2673:
2671:
2670:
2665:
2660:
2654:
2651:
2650:
2647:
2646:
2643:
2642:
2640:
2639:
2634:
2629:
2624:
2619:
2614:
2609:
2604:
2599:
2594:
2589:
2584:
2579:
2574:
2569:
2564:
2559:
2554:
2549:
2544:
2539:
2534:
2529:
2524:
2519:
2514:
2509:
2504:
2499:
2494:
2488:
2486:
2482:
2481:
2479:
2478:
2473:
2468:
2463:
2458:
2453:
2448:
2443:
2438:
2433:
2428:
2423:
2418:
2413:
2408:
2403:
2398:
2393:
2387:
2385:
2378:
2377:
2375:
2374:
2369:
2364:
2359:
2354:
2349:
2344:
2339:
2334:
2328:
2326:
2319:
2318:
2316:
2315:
2310:
2305:
2300:
2295:
2290:
2285:
2280:
2275:
2270:
2265:
2260:
2255:
2250:
2245:
2240:
2235:
2230:
2225:
2220:
2215:
2210:
2204:
2202:
2195:
2194:
2192:
2191:
2186:
2181:
2176:
2171:
2166:
2161:
2156:
2150:
2148:
2137:
2136:
2126:
2125:
2122:
2121:
2118:
2117:
2115:
2114:
2109:
2104:
2099:
2094:
2089:
2084:
2079:
2073:
2071:
2067:
2066:
2064:
2063:
2058:
2053:
2048:
2043:
2038:
2032:
2030:
2023:
2022:
2020:
2019:
2014:
2009:
2004:
1998:
1996:
1989:
1988:
1986:
1985:
1984:
1983:
1978:
1973:
1968:
1963:
1952:
1947:
1942:
1937:
1932:
1927:
1922:
1916:
1914:
1907:
1906:
1903:
1902:
1900:
1899:
1894:
1889:
1884:
1879:
1874:
1869:
1863:
1861:
1855:
1854:
1852:
1851:
1846:
1841:
1836:
1831:
1826:
1821:
1816:
1811:
1806:
1801:
1791:
1789:Microsoft Edge
1786:
1781:
1776:
1771:
1766:
1761:
1756:
1750:
1748:
1739:
1728:
1727:
1717:
1716:
1713:
1712:
1709:
1708:
1706:
1705:
1700:
1695:
1690:
1689:
1688:
1687:
1686:
1676:
1665:
1663:
1659:
1658:
1656:
1655:
1654:
1653:
1648:
1643:
1638:
1633:
1623:
1618:
1613:
1612:
1611:
1600:
1598:
1592:
1591:
1589:
1588:
1583:
1578:
1572:
1570:
1562:
1561:
1559:
1558:
1555:
1552:
1541:
1540:
1533:
1532:
1525:
1518:
1510:
1504:
1503:
1498:
1493:
1488:
1483:
1478:
1467:
1466:External links
1464:
1461:
1460:
1439:
1409:
1392:"Package ocsp"
1383:
1353:
1332:
1306:
1284:
1263:
1235:
1223:
1197:
1185:Opera Software
1171:
1154:Opera Software
1140:
1114:
1088:
1062:
1037:
1015:
1006:
979:
953:
927:
901:
886:
846:
825:
803:
778:
752:
720:
694:
693:
691:
688:
687:
686:
681:
676:
671:
666:
659:
656:
644:
641:
640:
639:
629:
619:
614:
611:
609:
606:
605:
604:
599:
596:
595:
594:
587:
580:
570:
567:
554:
551:
549:
546:
542:World Wide Web
498:
495:
487:
486:
479:
473:
462:
423:
420:
390:
387:
378:
375:
347:replay attacks
335:
332:
331:
330:
327:
324:
317:
313:
310:
307:
295:
292:
291:
290:
287:
276:
267:
264:
178:
177:
175:
174:
164:
154:
143:
141:
137:
136:
131:
127:
126:
124:
123:
117:
110:
108:
107:Base standards
104:
103:
101:
100:
97:
94:
92:Carlisle Adams
89:
88:Slava Galperin
86:
83:
80:
77:
73:
71:
67:
66:
56:
52:
51:
41:
37:
36:
31:
27:
26:
15:
9:
6:
4:
3:
2:
3261:
3250:
3247:
3245:
3242:
3240:
3237:
3235:
3232:
3230:
3227:
3225:
3222:
3221:
3219:
3200:
3197:
3194:
3191:
3189:
3186:
3184:
3181:
3179:
3176:
3174:
3171:
3169:
3166:
3164:
3161:
3160:
3158:
3154:
3147:
3144:
3142:
3139:
3137:
3134:
3132:
3129:
3127:
3124:
3122:
3119:
3118:
3116:
3112:
3106:
3103:
3102:
3100:
3096:
3090:
3087:
3085:
3082:
3081:
3079:
3075:
3072:
3068:
3062:
3059:
3057:
3054:
3052:
3049:
3048:
3046:
3042:
3036:
3033:
3031:
3028:
3026:
3023:
3021:
3018:
3016:
3013:
3011:
3008:
3006:
3003:
3001:
2998:
2996:
2993:
2991:
2988:
2986:
2983:
2981:
2978:
2976:
2973:
2971:
2968:
2966:
2963:
2961:
2958:
2956:
2953:
2951:
2950:Bouncy Castle
2948:
2947:
2945:
2943:
2939:
2933:
2930:
2928:
2925:
2924:
2922:
2918:
2911:
2908:
2905:
2902:
2899:
2896:
2895:
2893:
2889:
2883:
2880:
2878:
2875:
2872:
2869:
2867:
2864:
2862:
2859:
2856:
2853:
2850:
2847:
2843:
2842:OCSP stapling
2840:
2837:
2834:
2831:
2828:
2827:
2826:
2823:
2821:
2818:
2816:
2813:
2810:
2807:
2804:
2801:
2800:
2798:
2794:
2788:
2785:
2783:
2780:
2778:
2777:OCSP stapling
2775:
2772:
2769:
2766:
2763:
2761:
2758:
2755:
2752:
2749:
2746:
2743:
2740:
2737:
2734:
2731:
2728:
2725:
2722:
2721:
2719:
2715:
2711:
2704:
2699:
2697:
2692:
2690:
2685:
2684:
2681:
2669:
2666:
2664:
2661:
2659:
2656:
2655:
2652:
2638:
2635:
2633:
2630:
2628:
2625:
2623:
2620:
2618:
2615:
2613:
2610:
2608:
2605:
2603:
2600:
2598:
2595:
2593:
2590:
2588:
2585:
2583:
2580:
2578:
2575:
2573:
2570:
2568:
2565:
2563:
2560:
2558:
2555:
2553:
2550:
2548:
2545:
2543:
2540:
2538:
2535:
2533:
2530:
2528:
2525:
2523:
2520:
2518:
2515:
2513:
2510:
2508:
2505:
2503:
2500:
2498:
2495:
2493:
2490:
2489:
2487:
2483:
2477:
2474:
2472:
2469:
2467:
2464:
2462:
2459:
2457:
2454:
2452:
2449:
2447:
2444:
2442:
2439:
2437:
2434:
2432:
2429:
2427:
2426:Nokia Symbian
2424:
2422:
2419:
2417:
2414:
2412:
2409:
2407:
2404:
2402:
2399:
2397:
2394:
2392:
2389:
2388:
2386:
2383:
2379:
2373:
2370:
2368:
2365:
2363:
2360:
2358:
2355:
2353:
2350:
2348:
2345:
2343:
2340:
2338:
2335:
2333:
2330:
2329:
2327:
2324:
2320:
2314:
2311:
2309:
2306:
2304:
2301:
2299:
2296:
2294:
2291:
2289:
2286:
2284:
2281:
2279:
2278:PirateBrowser
2276:
2274:
2273:Mozilla suite
2271:
2269:
2266:
2264:
2261:
2259:
2256:
2254:
2251:
2249:
2246:
2244:
2241:
2239:
2236:
2234:
2231:
2229:
2226:
2224:
2221:
2219:
2216:
2214:
2211:
2209:
2206:
2205:
2203:
2200:
2196:
2190:
2187:
2185:
2182:
2180:
2177:
2175:
2172:
2170:
2167:
2165:
2162:
2160:
2157:
2155:
2152:
2151:
2149:
2146:
2142:
2138:
2131:
2127:
2113:
2110:
2108:
2105:
2103:
2100:
2098:
2095:
2093:
2090:
2088:
2085:
2083:
2080:
2078:
2075:
2074:
2072:
2068:
2062:
2059:
2057:
2054:
2052:
2049:
2047:
2044:
2042:
2039:
2037:
2034:
2033:
2031:
2029:
2024:
2018:
2015:
2013:
2010:
2008:
2005:
2003:
2000:
1999:
1997:
1994:
1990:
1982:
1979:
1977:
1974:
1972:
1969:
1967:
1964:
1962:
1959:
1958:
1957:
1953:
1951:
1948:
1946:
1943:
1941:
1938:
1936:
1933:
1931:
1928:
1926:
1923:
1921:
1918:
1917:
1915:
1912:
1908:
1898:
1895:
1893:
1890:
1888:
1885:
1883:
1880:
1878:
1875:
1873:
1870:
1868:
1865:
1864:
1862:
1860:
1856:
1850:
1847:
1845:
1842:
1840:
1837:
1835:
1832:
1830:
1827:
1825:
1822:
1820:
1817:
1815:
1812:
1810:
1807:
1805:
1802:
1799:
1795:
1792:
1790:
1787:
1785:
1782:
1780:
1777:
1775:
1772:
1770:
1767:
1765:
1762:
1760:
1757:
1755:
1754:Google Chrome
1752:
1751:
1749:
1747:
1743:
1740:
1737:
1733:
1729:
1722:
1718:
1704:
1701:
1699:
1696:
1694:
1691:
1685:
1682:
1681:
1680:
1677:
1675:
1672:
1671:
1670:
1667:
1666:
1664:
1660:
1652:
1649:
1647:
1644:
1642:
1639:
1637:
1634:
1632:
1629:
1628:
1627:
1624:
1622:
1619:
1617:
1614:
1610:
1607:
1606:
1605:
1602:
1601:
1599:
1597:
1596:Web standards
1593:
1587:
1584:
1582:
1579:
1577:
1574:
1573:
1571:
1567:
1563:
1556:
1553:
1550:
1549:
1546:
1542:
1538:
1531:
1526:
1524:
1519:
1517:
1512:
1511:
1508:
1502:
1499:
1497:
1494:
1492:
1489:
1487:
1484:
1482:
1479:
1477:
1473:
1470:
1469:
1449:
1443:
1427:
1423:
1419:
1413:
1397:
1393:
1387:
1371:
1367:
1363:
1357:
1342:
1341:"OpenCA OCSP"
1336:
1320:
1316:
1310:
1294:
1288:
1273:
1267:
1251:
1250:
1245:
1239:
1232:
1227:
1212:
1208:
1201:
1186:
1182:
1175:
1159:
1155:
1151:
1144:
1129:
1125:
1118:
1102:
1098:
1092:
1077:. 3 July 2013
1076:
1072:
1066:
1051:
1047:
1041:
1025:
1019:
1010:
994:
990:
983:
967:
960:
958:
942:
941:Let's Encrypt
938:
931:
916:
912:
905:
897:
893:
889:
883:
879:
875:
870:
865:
861:
857:
850:
835:
829:
813:
807:
792:
788:
782:
766:
762:
756:
740:
736:
729:
727:
725:
709:
702:
700:
695:
685:
682:
680:
679:OCSP stapling
677:
675:
672:
670:
667:
665:
662:
661:
654:
650:
637:
633:
630:
627:
623:
620:
617:
616:
602:
601:
592:
588:
585:
581:
578:
574:
571:
568:
565:
561:
560:Let's Encrypt
557:
556:
545:
543:
539:
535:
532:
528:
524:
520:
516:
512:
508:
504:
494:
492:
491:Google Chrome
484:
480:
477:
474:
471:
467:
463:
460:
456:
455:Windows Vista
452:
448:
444:
440:
437:
436:
435:
428:
419:
417:
416:OCSP stapling
413:
407:
405:
400:
397:
386:
384:
383:OCSP stapling
374:
372:
366:
364:
359:
355:
352:
348:
343:
340:
328:
325:
322:
318:
314:
311:
308:
305:
301:
300:Alice and Bob
298:
297:
288:
285:
281:
277:
274:
270:
269:
263:
260:
256:
252:
250:
246:
242:
237:
235:
232:being termed
231:
227:
223:
219:
215:
211:
207:
204:
200:
196:
193:
189:
185:
172:
168:
165:
162:
158:
155:
152:
148:
145:
144:
142:
138:
135:
132:
128:
121:
118:
115:
112:
111:
109:
105:
98:
95:
93:
90:
87:
84:
81:
79:Michael Myers
78:
75:
74:
72:
68:
57:
53:
42:
38:
35:
32:
28:
23:
2910:Secure Shell
2835:
2637:WorldWideWeb
2352:MediaBrowser
2347:GreenBrowser
2228:Firefox Lite
2134:Discontinued
1692:
1586:Privacy mode
1537:Web browsers
1452:. Retrieved
1450:. 2014-01-27
1442:
1430:. Retrieved
1421:
1412:
1400:. Retrieved
1395:
1386:
1374:. Retrieved
1365:
1356:
1344:. Retrieved
1335:
1323:. Retrieved
1318:
1309:
1297:. Retrieved
1287:
1275:. Retrieved
1266:
1254:. Retrieved
1247:
1238:
1226:
1215:. Retrieved
1200:
1188:. Retrieved
1174:
1162:. Retrieved
1158:the original
1143:
1131:. Retrieved
1117:
1105:. Retrieved
1091:
1079:. Retrieved
1065:
1053:. Retrieved
1040:
1028:. Retrieved
1018:
1009:
997:. Retrieved
992:
982:
970:. Retrieved
944:. Retrieved
940:
930:
918:. Retrieved
914:
904:
858:. PAM 2021.
855:
849:
837:. Retrieved
828:
816:. Retrieved
806:
794:. Retrieved
790:
781:
769:. Retrieved
764:
755:
743:. Retrieved
738:
713:December 23,
711:. Retrieved
529:, and other
527:web browsers
500:
488:
481:Versions of
433:
408:
404:stapled OCSP
401:
392:
380:
367:
360:
356:
344:
341:
337:
253:
241:web browsers
238:
233:
187:
183:
181:
40:Year started
3056:Convergence
2710:TLS and SSL
2663:Comparisons
2622:ThunderHawk
2602:NetPositive
2542:Edge Legacy
2471:WebPositive
2436:Opera Coast
2298:Swiftweasel
2061:qutebrowser
1950:Tor Browser
1945:SlimBrowser
1746:Proprietary
1684:third-party
1636:Web storage
1631:WebAssembly
1396:cfssl GoDoc
613:Open source
598:Proprietary
553:Open source
507:proprietary
503:open source
414:trend. The
96:Mohit Sahni
82:Rich Ankney
3218:Categories
3183:Heartbleed
2308:Timberwolf
2303:TenFourFox
2248:Kazehakase
2238:Ghostzilla
2107:Opera Mini
2041:DuckDuckGo
1930:GNU IceCat
1674:Encryption
1626:JavaScript
1581:Extensions
1454:2019-01-25
1217:2015-01-30
869:2102.04288
690:References
618:cfssl (Go)
389:Criticisms
62:2013-02-11
47:2002-02-04
3178:goto fail
2990:MatrixSSL
2955:BoringSSL
2726:(TLS/SSL)
2587:Line Mode
2411:Google TV
2367:SpaceTime
2362:NetCaptor
2357:NeoPlanet
2243:IceDragon
2218:Classilla
2051:Lunascape
2046:Konqueror
2007:GNOME Web
1976:SeaMonkey
1971:Pale Moon
1935:LibreWolf
1897:ungoogled
1892:Supermium
1703:WebSocket
1662:Protocols
1641:IndexedDB
1576:Bookmarks
1557:protocols
1554:standards
1370:Microsoft
1346:3 January
1190:8 January
1164:8 January
1075:Microsoft
1050:Microsoft
946:August 4,
920:August 4,
896:0302-9743
834:"CRLSets"
515:libraries
489:However,
470:Firefox 3
451:version 7
443:CryptoAPI
284:libraries
3114:Protocol
3044:Notaries
3020:SChannel
2995:mbed TLS
2985:LibreSSL
2970:cryptlib
2900:(DNSSEC)
2891:See also
2658:Category
2612:Skweezer
2607:Netscape
2532:Deepfish
2476:xombrero
2293:Swiftfox
2223:Conkeror
2179:SalamWeb
2174:Rockmelt
2087:Ladybird
2056:NetFront
1981:Waterfox
1966:K-Meleon
1961:Basilisk
1867:Chromium
1824:Sleipnir
1569:Features
1551:Features
1432:17 March
1402:17 March
1376:17 March
1325:17 March
1299:17 March
1256:17 March
1211:Archived
1133:26 March
1030:24 April
999:March 2,
972:March 2,
771:March 2,
745:March 2,
658:See also
540:and the
534:software
501:Several
195:protocol
192:Internet
190:) is an
122:(S/MIME)
3035:wolfSSL
3030:stunnel
3015:s2n-tls
3005:OpenSSL
2920:History
2906:(IPsec)
2617:Skyfire
2572:IBrowse
2557:HotJava
2552:Gazelle
2502:Arachne
2431:OmniWeb
2421:Mercury
2401:Dolphin
2342:Deepnet
2184:Sputnik
2169:Redcore
2102:NetSurf
1920:Firefox
1839:Vivaldi
1814:Samsung
1804:Puffin
1784:Maxthon
1769:Coc Coc
1679:Cookies
1426:OpenSSL
1315:"XiPKI"
1107:18 July
1101:Mozilla
839:29 June
818:29 June
796:29 June
632:wolfSSL
622:OpenSSL
608:Library
531:network
511:servers
447:Windows
245:Firefox
243:(e.g.,
230:servers
140:Website
70:Authors
60: (
45: (
3193:POODLE
3146:POODLE
3141:Logjam
3126:BREACH
3098:Cipher
3077:Theory
3025:SSLeay
3010:Rustls
2975:GnuTLS
2838:(OCSP)
2805:(ACME)
2773:(HPKP)
2767:(HSTS)
2750:(DANE)
2744:(ALPN)
2732:(DTLS)
2632:WinWAP
2627:Vision
2597:MSN TV
2592:Mosaic
2582:KidZui
2547:ELinks
2522:Charon
2512:Blazer
2451:Shiira
2441:Origyn
2384:-based
2382:WebKit
2325:-based
2323:MSHTML
2288:Strata
2268:Minimo
2263:MicroB
2233:Galeon
2213:Camino
2208:Beonex
2201:-based
2159:Citrio
2154:Beaker
2147:-based
2028:engine
2026:Multi-
2002:Safari
1995:-based
1993:WebKit
1954:Gecko
1940:Midori
1925:Floorp
1913:-based
1882:Falkon
1877:Dooble
1849:Yandex
1829:SRWare
1798:Mobile
1774:Comodo
1738:-based
1725:Active
1698:WebRTC
1651:WebGPU
1476:Curlie
1428:. 2017
1372:. 2018
1319:GitHub
1277:12 Aug
1249:GitHub
1128:Sophos
894:
884:
651:, and
643:Client
548:Server
519:client
476:Safari
321:signed
201:of an
169:
159:
153:: OCSP
149:
130:Domain
30:Status
3173:FREAK
3136:DROWN
3131:CRIME
3121:BEAST
2965:BSAFE
2960:Botan
2912:(SSH)
2873:(PKI)
2832:(CRL)
2760:HTTPS
2756:(CAA)
2738:(SNI)
2537:Dillo
2507:Arena
2497:Amaya
2492:abaco
2485:Other
2456:Steel
2446:QtWeb
2406:Fluid
2391:Arora
2258:Lotus
2199:Gecko
2189:Torch
2164:Flock
2145:Blink
2092:Links
2070:Other
2017:Orion
1956:forks
1911:Gecko
1887:Otter
1872:Brave
1844:Whale
1794:Opera
1764:Avast
1736:Blink
1646:WebGL
1081:9 May
1055:9 May
864:arXiv
573:EJBCA
538:HTTPS
483:Opera
457:(not
351:nonce
302:have
280:parse
249:HTTPS
239:Some
222:ASN.1
203:X.509
116:(URI)
2980:JSSE
2857:(EV)
2851:(DV)
2811:(CA)
2668:List
2517:Cake
2466:Uzbl
2461:surf
2416:Iris
2396:BOLT
2283:Pogo
2253:Kylo
2097:Lynx
2082:Flow
2012:iCab
1859:FOSS
1819:Silk
1779:Epic
1693:OCSP
1669:HTTP
1604:HTML
1434:2018
1404:2018
1378:2018
1348:2024
1327:2018
1301:2018
1279:2019
1258:2018
1192:2010
1166:2010
1135:2011
1109:2010
1083:2016
1057:2016
1032:2014
1001:2015
974:2015
948:2024
922:2024
892:ISSN
882:ISBN
860:LNCS
841:2022
820:2022
798:2022
773:2015
747:2015
715:2021
584:Java
577:Java
513:and
505:and
226:HTTP
188:OCSP
182:The
171:9654
161:8954
151:6960
20:OCSP
3000:NSS
2372:ZAC
2337:AOL
2112:w3m
2077:eww
2036:360
1759:Arc
1621:DOM
1616:CSS
1474:at
874:doi
453:on
445:of
371:OID
167:RFC
157:RFC
147:RFC
3220::
2527:CM
2313:xB
1834:UC
1809:QQ
1609:v5
1424:.
1420:.
1394:.
1368:.
1364:.
1317:.
1246:.
1209:.
1183:.
1152:.
1126:.
1099:.
1073:.
1048:.
991:.
956:^
939:.
913:.
890:.
880:.
872:.
789:.
763:.
737:.
723:^
698:^
564:Go
544:.
525:,
459:XP
236:.
2702:e
2695:t
2688:v
1800:)
1796:(
1529:e
1522:t
1515:v
1457:.
1436:.
1406:.
1380:.
1350:.
1329:.
1303:.
1281:.
1260:.
1220:.
1194:.
1168:.
1137:.
1111:.
1085:.
1059:.
1034:.
1003:.
976:.
950:.
924:.
898:.
876::
866::
843:.
822:.
800:.
775:.
749:.
717:.
638:)
636:C
634:(
628:)
626:C
624:(
593:)
591:C
586:)
579:)
566:)
562:(
186:(
64:)
49:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.