OCSP

Online Certificate Status Protocol (OCSP) is a method for checking the revocation status of SSL certificates in real-time. OCSP was developed as an alternative to Certificate Revocation Lists (CRLs), which can become large and unwieldy as they must list all revoked certificates. Instead of downloading entire CRLs, OCSP allows clients to query the CA's OCSP responder about the status of a specific certificate by sending its serial number.

The OCSP responder returns one of three responses: 'good' (certificate is valid), 'revoked' (certificate has been revoked), or 'unknown' (status cannot be determined). OCSP responses are digitally signed by the CA and include timestamps to prevent replay attacks. However, OCSP has some limitations: it can create privacy concerns by revealing which sites users visit to the CA, and OCSP queries can slow down connection establishment.

To address these issues, OCSP Stapling was developed, where the server periodically retrieves its own OCSP response and presents it to clients during the TLS handshake, eliminating the need for clients to contact the OCSP responder directly.