Frank noted in his status report that the Mozilla Foundation is funding a project to implement “OCSP stapling” in Apache and OpenSSL. In the future, Firefox will be enhanced to check the validity of SSL certificates using Online Certificate Status Protocol (OCSP) responses served up by the webserver itself (colloquially known as “OCSP stapling”), as opposed to directly from the CA’s OCSP server. But the webserver needs to know how to obtain and serve them, which is what this work is about.
OCSP stapling massively reduces the load on a CA’s OCSP servers, and makes OCSP feasible for deployment for large volume SSL sites like Paypal or Amazon. Once a majority of clients support it, we’ll see much wider OCSP use, with a corresponding improvement in the ability of CAs to meaningfully revoke certificates. Working OCSP is compulsory for EV certificates from 2010 onwards.
I’ve been working on this grant for some months now, and it’s great to see it go ahead.