Certificate status checking

A certificate has a specific expiary date and if it got untrusted by the CA in this time (e.g. its private key has been leaked) you want to know that.

CRL (Certificate Revocation List)

PlantUML Syntax:<br /> participant “Client” as C<br /> participant “Server” as S<br /> participant “CRL Server” as CRLS</p> <p>== Connection setup ==<br /> C -> S : Start TLS handshake<br /> S -> C : Send certificate<br /> C -> CRLS : Download CRL<br /> C -> C : Check cert. status<br /> alt Certificate revoked<br /> C -> S : Abort TLS handshake<br /> else else<br /> C -> S : Finish TLS handshake<br /> end<br />

Contra: Downloading the CRL generates traffic.

OCSP (Online Certificate Status Protocol)

PlantUML Syntax:<br /> participant “Client” as C<br /> participant “Server” as S<br /> participant “OCSP Server” as OCSPS<br /> participant “CRL Server” as CRS</p> <p>== Precondition ==<br /> OCSPS -> CRS : Download CRL<br /> == Connection setup ==<br /> C -> S : Start TLS handshake<br /> S -> C : Send certificate<br /> C -> OCSPS : Request cert. status via serial number<br /> alt Certificate revoked<br /> C -> S : Abort TLS handshake<br /> else else<br /> C -> S : Finish TLS handshake<br /> end<br />

Contra: The OSCP Server knows your requests.

OCSP Stapling (Online Certificate Status Protocol Stapling)

PlantUML Syntax:<br /> participant “Client” as C<br /> participant “Server” as S<br /> participant “OCSP Server” as OCSPS<br /> participant “CRL Server” as CRS</p> <p>== Precondition ==<br /> OCSPS -> CRS : Download CRL<br /> == Connection setup ==<br /> C -> S : Start TLS handshake<br /> S -> OCSPS: Request cert. status via serial number<br /> S -> C : Send certificate + status<br /> alt Certificate revoked<br /> C -> S : Abort TLS handshake<br /> else else<br /> C -> S : Finish TLS handshake<br /> end<br />

Contra: Nothing yet.