CRL (Certificate revocation list) is a list of digital certificates that has been canceled by the certificate authority before the date of expiry and is not acceptable anywhere.
OCSP (Online certificate status protocol) is a procedure for reviewing the revoked online certificates one by one by using a tool called OCSP.
CRL and OCSP verification are two different paths to achieve the result. The access is prohibited to the user whose certificate is revoked. Inside the web browser, OCSP is proved as a top quality of tool because the browser deals with many certificates authority (CA) and downloading the CRL to review the website is incompetent.
Normally every digital certificate has a of maturity of one year after which the certificates are no longer trusted and added to CRL with prior intimation to the certificate holder. The declaration of revocation of certificate will be done by the certificate authority that issues the certificate.
Advantages of CRL
- CA finds out that it has wrongfully or incorrectly issued a certificate.
- The CA has been negotiated.
- The misrepresentation of the information during the web server verification or the web server has violated the rules of the agreement with the CA.
- Negotiation on the certificates private key.
In CRL every time when a client makes a secure connection to the web server it will redirect him to the certificate authority and download the CRL and it will search the certificate through a long revocation list. The whole process feels like burden to the client. If the client does not find its revoked certificate then he will directly think that my certificate is not revoked and will trust it. If the CA issues certificate to other web server who has extensively high traffic it would be very difficult for a CA and would lead to lot of requests.
In OCSP every time a client connects through a web server, the web server sends the client its certificate and then to check if the certificate is not revoked the client creates a OCSP request to the CA. The CA uses the certificate serial number to check if the certificate is not revoked and responds the client with one of the three responses which are good, revoked or unknown. The CA keeps frequent updates from the CRL to be sure that the list is current and true.
Looking at the above process OCSP beats the main limitation of CRL which is downloading the whole list and going through it makes it a burden for the clients and it is much easier than just checking the status of the certificate through the serial number.
The clients still need to go the CA according to OCSP to check the certificate. There will be a bunch of requests on the OCSP responder. If the client is not able to connect with CA the clients have two option first one the client will continue to connect with CA for defeating the purpose of certificate status checking and second is the client will lose interest in connecting and assume false alarms in relation to the certificate.
There is no such difference in both of the verifying processes as both of them layout burden to the clients.
There is better solution to the verifying process that is OCSP stapling. The burden is transferred to web server. OCSP stapling act as an agent for the client and check the status for all the clients. The process of OCSP stapling is, the web server sends the certificate to OCSP responder and the OCSP responder sends back the certificate with an approval sign of CA to web server. When the client wants to connect with the web server the web server sends the timestamped OCSP response attached with the certificate to the client during the SSL (Secure socket layer) handshake. The client will trust the certificate only because the certificate is digitally timestamped by the CA.
The web server can make the same request for all the clients and staple the response for the same. This also reduces the request to OCSP responder.
Advantages of OCSP stapling
- It improves performance because the web server receives the certificate on demand and no need for connecting to the CA.
- OCSP stapling has maintainedthe secrecy of the end user because no connection has been built with CRL for the OCSP request.
- OCSP stappling improves the speed of connecting of the SSL handshakes by combining two requests into one. This cuts down the time taken for the encrypted webpage to load.
- The Cas get request from the web server and not from the user, so the user’s privacy is kept secret.
- It requires less bandwidth and enables real time status check.
If a certificate authority is not working then you won’t be able to issue certificates but if your CRL has been matured then all the certificates becomes useless. It is important to verify the maturity of the certificates through CRL or OCSP server.
Maintaining the CRL list becomes more cumbersome because you to keep it updating and constantly maintaining the list. Some of the CA don’t keep their CRL updated these days. This effect while retrieving a CRL and can slow things depending upon the size of the CRL. Because of such incidents taking place many Cas have adopted the OCSP stappling. OCSP stapling is the process by permitting the web server to solve the query of the OCSP client to verify weather the certificate is trusted or revoked.
Millions of online certificates are transacted everyday to keep them away from being compromised, untrusted certificates enforce the security and privacy certificate lifecycle management is used. Organizations needs to manage their digital certificates from getting cracked or attacks due to expiration or certificate revocation.
Nowadays CRL are not so much in trend as they were in the past but it’s good to have knowledge about how it works? How do they differ from the current solution? Present changes in web server can be a little messed up because they make changes into three different revocation checking which are not secured. OCSP stapling might be that silver bullet to this problem, but it requires to become security sound. Once the OCSP stapling server is down it imposes serious availability problems of OCSP stapling.
