Start of changeOCSP certificate revocation checkingEnd of change

Start of changeThe Online Certificate Status Protocol (OCSP) Certificate Revocation Checking application definition field determines whether OCSP certificate revocation checking is done with AIA certificate extension information and if OCSP stapling is enabled or required.End of change

Revocation checking is done with AIA certificate extension information if OCSP revocation status is undetermined and both of the following conditions are true:
  • OCSP AIA checking is enabled.
  • The certificate to be validated has an AIA extension with a PKIK_AD_OCSP access method that contains a URI of the HTTP location of the OCSP responder.
    Note: The first OCSP responder that is identified in the AIA extension is queried for revocation status.

Start of changeEnabling OCSP stapling on a client application causes the client to request OCSP stapling by sending the certificate status request extension as part of the client hello. Server applications with OCSP stapling enabled support the certificate status request extension and query the OCSP responder on behalf of the client when receiving the extension.End of change

Start of changeA client application can also indicate that they require OCSP stapling. This means that if the client does not receive a stapled OCSP response from the server and the server's certificate indicates that it must staple, then the client fails the secure connection.End of change

The default value for the field is *PGM meaning the program that uses this "application ID" sets the attribute to the appropriate value. All System TLS attributes have an initial default value. For this attribute, the default value is disabled Start of changefor both AIA checking and OCSP staplingEnd of change. Programs can explicitly enable or disable OCSP AIA Start of changeand OCSP staplingEnd of change with gsk_attribute_set_enum().

If *PGM does not result in OCSP AIA validation and revocation checking is wanted, set this field to “Enable.” The internal setting is overridden and OCSP checking happens when AIA information is available.

Start of changeIf *PGM does not result in OCSP stapling and support is wanted, set this field to “Stapling.” The internal setting is overridden and OCSP stapling is requested by client applications and supported by server applications. Additionally, this enables OCSP AIA checking when AIA information is available on the certificate.End of change

Start of changeSetting this field to “Stapling Required” overrides the internal setting and enables OCSP AIA checking for client and server applications, enables OCSP stapling for client and server applications, and requires OCSP stapling for client applications.End of change

If *PGM results in OCSP AIA validation Start of changeor OCSP staplingEnd of change, yet revocation checking is not wanted, set this field to “Disable.” Disabling OCSP weakens the security model for the application, so use due diligence before you make this choice.