What is ocspd application to date

maelcum wrote:

In German words:
ocspd verifies a certificate when requested by the Security.framework. These certificates are usually stored in the key ring and are used by an application to establish a connection to any service on the Internet.

Click to enlarge ...

Exactly, the whole thing has to do with certificates and PKI (Public Key Infrastructure).

Certificates serve as electronic "ID" for a wide variety of things (for SSL between server and browser, for authentication purposes on service platforms, for signing e-mails, etc.).

Such a certificate contains information about the issuer of the certificate, information about the owner of the certificate, information about the validity of the certificate and a lot of other things (so-called extensions).

If the mail client finds this signature in the example of signed e-mails mentioned by maelcum, the following happens:

1. The mail client checks whether the signature is mathematically correct.
2. The certificate contained in the signature is checked.
2a. Mathematical examination of the certificate
2 B. Checking the certificate chain with the aid of the certificate memory in the operating system / in the application
2.c Checking the revocation status of the certificate (only possible with online connections).

At point 2c. then the ocspd comes into play.


What status check options are there?

1. CertificateRevocationList (cRL) check
A revocation list contains a list of certificate serial numbers and the associated revocation times and optional revocation reasons. How to get these revocation lists (i.e. the URL for the download) can generally be found in a certificate extension with the name "crlDistributionPoint".

Common ways of obtaining it are via http (port 80) or via the ldap protocol (usually port 389). As I said, the exact URL can be found in the extension.

The advantage of a cRL is that you have a structure that you can easily parse and that structure contains more than one lock entry. The disadvantage is that such a cRL can become very large and therefore more than unwieldy.

2. OCSP (Online Certificate Status Protocol)
As the name suggests, this is a separate protocol for status queries. When asked, the issuing CA certificate and the certificate serial number to be checked are transferred.
The answer is not a data structure in the sense of a cRL but a signaled answer that provides various information.
Possible answers are:
- valid
- blocked including blocking date and optional blocking reason
- unknown

The advantage of this protocol is that the answers always remain very small and do not grow endlessly like with cRLs.

The disadvantage is that you have to make a separate query for each certificate.

The URL for access to this service is in a certificate extension with the name "authorityInformationAccess".

Access can be native (often port 9000) or boxed in http, i.e. port 80.

This also explains the access via port 80 in the case specifically presented here.

Best wishes