Frank noted in his status report that the Mozilla Foundation is funding a project to implement “OCSP stapling” in Apache and OpenSSL. In the future, Firefox will be enhanced to check the validity of SSL certificates using Online Certificate Status Protocol (OCSP) responses served up by the webserver itself (colloquially known as “OCSP stapling”), as opposed to directly from the CA’s OCSP server. But the webserver needs to know how to obtain and serve them, which is what this work is about.
OCSP stapling massively reduces the load on a CA’s OCSP servers, and makes OCSP feasible for deployment for large volume SSL sites like Paypal or Amazon. Once a majority of clients support it, we’ll see much wider OCSP use, with a corresponding improvement in the ability of CAs to meaningfully revoke certificates. Working OCSP is compulsory for EV certificates from 2010 onwards.
I’ve been working on this grant for some months now, and it’s great to see it go ahead.
This sounds fine if there are only good people using the OCSP service.
But would be a bad idea if Trudy is the person serving the SSL site today, and knowing the SSL cert might be revoked, but still serving valid OCSP responses from his own webserver…
Isn’t that right?
The OCSP responses are signed by the CA; they can’t pass on valid responses if the cert has been revoked.