• caglararli@hotmail.com
  • 05386281520

PKI – CRL and OCSP

Çağlar Arlı      -    7 Views
27Mar

PKI – CRL and OCSP

I've done quite a bit of reading about PKI in ADCS and CRL/OCSP, but I can't seem to find an answer to a small couple of questions I still have:

It is clear to me that even with OCSP in place, you still need a (delta) CRL (OCSP relies on a CRL to check if a certificate is valid or not for example) but that it's also important that clients have a URL to access the (delta) CRL.

What is not clear is whether a client will still download CRLs/delta CRLs even if a OCSP URL is provided in a certificate and that OCSP can be contacted.

It seems to me that what would make sense is something similar to (example with web server):

  • Client gets certificate from web server
  • Client needs to validate certificate so :
    • starts by checking whether the issuing CA is trusted
    • checks whether it has a recent CRL/OCSP reply in its cache, if so and if the cached reply says the cert is valid, then job done.
    • no cached reply is available so if both CRL and OCSP prefer OCSP over CRL list and ask the OCSP provider if certificate is valid. If OCSP replies, trust whatever it said.
    • If the OCSP does not reply/cannot be contacted, then fallback to using a CRL in which case a CRL is downloaded and used.
    • If CRL list cannot be downloaded either then... let's not get into this because that's a whole other topic on its own :)

Now what I'm not certain about is whether the above assumptions are correct, but even if they are it raises a few other questions (all questions assume that the above procedure is correct):

  1. If a certificate specifies both a OCSP and CRL and the OCSP fails to provide a reply, then the client falls back to CRL (and caches it). So what happens the next time that the user tries to go to the same website? Bearing in mind that a reply from CRL is cached, will it always trust that so long as its TTL hasn't expired and not attempt to contact the OCSP again?

  2. Does a client really only ever download a CRL/delta CRL if there is either no OCSP provided on the certificate or if the OCSP provides no answer?

  3. I have read that Vista OCSP Client caches replies, but cannot find information about how long it caches them for and whether this is configurable, can anyone clarify

Mart 2019
P S Ç P C C P
 123
45678910
11121314151617
18192021222324
25262728293031

Son Yazılar

Son Yorumlar