Certificate revocation checking is an essential aspect of ensuring trust and security in online communications. Two commonly used methods for checking the revocation status of SSL/TLS certificates are OCSP (Online Certificate Status Protocol) and CRLs (Certificate Revocation Lists). While both serve the same purpose, there are distinct advantages to using CRLs over OCSP.

CRLs are timestamped lists of digital certificates that have been revoked before their expiration dates. They provide a comprehensive view of revoked certificates including each certificate’s serial number and revocation date. CRLs are checked locally clients during each connection, and if a certificate or CRL list has expired, the browser will download an updated list. These lists are publicly available via HTTP URLs.

On the other hand, OCSP relies on server responses to provide information about the revocation status of a certificate in real-time. This method involves making individual requests to OCSP servers operated certificate authorities (CAs). While OCSP can provide immediate information about a certificate’s revocation status, it requires additional network requests and adds latency to the connection process.

The decision to move towards using CRLs primarily was made the CA/Browser Forum, the industry’s standard body. Starting from March 15, 2024, certificate authorities are required to make publicly available CRLs, while OCSP remains optional. This shift is driven the advantages of CRLs, such as their ability to provide a complete list of revoked certificates and eliminate the need for real-time queries to OCSP servers.

FAQ:

Q: What is the difference between OCSP and CRL?

A: OCSP is a method for real-time checking of certificate revocation status using server responses, while CRLs are timestamped lists of revoked certificates that are checked locally clients.

Q: Why are browsers moving towards using CRLs primarily?

A: CRLs provide a comprehensive list of revoked certificates and eliminate the need for additional network requests, improving the connection process.

Q: Are OCSP servers still necessary?

A: OCSP servers remain optional, but certificate authorities are required to make publicly available CRLs.

Q: Will these changes affect website owners or users directly?

A: These changes primarily impact certificate authorities and their methods of publishing revoked certificates, ensuring the quality of services for website owners and users remains intact.