OCSP revocation status

Edit online

OCSP revocation status is determined by the OCSP response sent in reply to an OCSP request. Two types of responses can be received. One indicates that the OCSP responder sent a valid response; the other signals that the responder encountered an issue as it processed the prior request.

The issues a responder might encounter while it processes a request include the following:
  • malformedRequest - The request was malformed.
  • internalError - An internal error occurred on the OCSP responder.
  • tryLater - The OCSP responder is temporarily unable to respond; try the request again later.
  • sigRequired - The OCSP responder requires that the request must be signed.
  • unauthorized - The OCSP client is not authorized to query the OCSP responder.

A valid response contains certificate revocation status for the queried certificate. The possible certificate status values are good, revoked, or unknown. OCSP revocation status checking is complete if it receives a good or revoked revocation status for the certificate. A good status allows the handshake to continue and revoked status causes the handshake to fail.

If the revocation status from both URL and AIA checking is undetermined, the certificate is allowed to be used. Information about the certificate with an undetermined revocation status can be retrieved with gsk_attribute_get_buffer() and attribute GSK_UNKNOWNREVOCATIONSTATUS_SUBJECT. The application should close the connection if an undetermined revocation status is not allowed.

Undetermined revocation status

The following responses result in undetermined revocation status:

  • No response received within the specified timeout
  • OCSP response status that indicates the responder encountered an issue
  • Valid response with one of the following conditions:
    • Unknown response type (only PKIX_AD_OCSP_basic response type supported)
    • Unknown response version (only version 1 supported)
    • Invalid signature or invalid signing certificate
      • The signing certificate must meet one of the following criteria:
        • Is trusted by the local keystore
        • Is the certificate of the certificate authority (CA) that issued the certificate in question
        • Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage extension and is issued by the CA that issued the certificate in question
    • No nonce included on the response when nonce checking is required
    • Bad nonce value on the response when nonce checking is required
    • Invalid or expired nextUpdate value is specified on the response
    • Unknown certificate status value that indicates the responder does not know the status of the certificate