|
OCSP stapling, formally known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS Handshake, eliminating the need for clients to contact the CA. == Motivation == OCSP stapling addresses most of the issues with the original OCSP implementation.〔 The original OCSP implementation can introduce a significant cost for the certificate authorities (CA) because it requires them to provide responses to every client of a given certificate in real time. For example, when a certificate is issued to a high traffic website, the servers of CAs are likely to be hit by enormous volumes of OCSP requests querying the validity of the certificate. OCSP checking potentially impairs users' privacy and slows down browsing, since it requires the client to contact a third party (the CA) to confirm the validity of each certificate that it encounters.〔 Moreover, if the client fails to connect to the CA for an OCSP response, then it is forced to decide between two options, neither of which are desirable. The client may either choose to continue the connection anyway, defeating the purpose of OCSP revocation checking, or it may choose to terminate the connection based on the assumption that there is an attack, which decreases usability and could result in excessive false warnings and blocks. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「OCSP stapling」の詳細全文を読む スポンサード リンク
|