OCSP vs CRL - How are these two different?

203    Asked by AndreaBailey in Cyber Security , Asked on Mar 15, 2022

 What is the difference between OCSP, CRL and CDP? Are OCSP and CRL the same? Can we use a CRL without configuring OCSP?

Answered by ananya Pawar

OCSP vs CRL The certificate revocation list (CRL) is a list of revoked certificates. It does not contain the certificate itself but mainly the serial number. It is signed directly or indirectly by the CA which issued these certificates. The CRL can be very big because it can contain lots of revocations. To check if a certificate is revoked the client must download the list (or have a recent copy) and then lookup the serial number of the current certificate in the list. If it is not found there it is not revoked. The location of the CRL for a specific certificate (i.e. where to download) is specified in the certificate itself as CRL distribution point (CDP).

Because CRL's contain information for lots of certificates they are often large and thus not suitable for a fast revocation check. The Online Certificate Status Protocol (OCSP) instead checks only a specific certificate and asks the OCSP responder if this certificate was revoked or not. The OCSP responder quickly returns this specific information which is again directly or indirectly signed by the issuer of the certificate. For even faster revocation check the server can regularly retrieve a current OCSP response and send it to the client within the TLS handshake. With this "OCSP stapling" the client does not need to explicitly ask the OCSP responder for revocation information because the client already has this information. Yes, we can use a CRL without configuring OCSP.



Your Answer

Interviews

Parent Categories