what is the “Online Certificate Status Protocol”

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Mar 9 13:57:11 UTC 2011

On 09/03/2011 09:30, erikmccaskey64 wrote:
> But: with wireshark i can see some "OCSP" packets [ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ]
> Question: What are these packets? Why aren't there in HTTPS?

This is your browser trying to check if the SSL certs for the sites you
are visiting are still valid.  Certs can be cancelled by their issuer
before the built-in expiration date for various reasons -- eg. if there
has been a security compromise on the server and it is suspected that
someone has been able to steal the key and cert.

OCSP is one means of checking SSL certificate validity.  Another is
checking Certificate Revocation Lists issued by CAs.  Neither of these
require encryption at the network level, as the content that is
downloaded is already cryptographically signed.  Since it is public
knowledge, all the crypto is used for is to authenticate the data, not
encrypt it.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20110309/89315e18/signature.pgp

More information about the freebsd-questions mailing list