When you request for an OCSP server to check the revocation status of a cert, does it automatically check the revocation status of the entire chain?
i.e: if it says the cert is "good", then does that imply the entire chain is good?
I read the spec: http://www.ietf.org/rfc/rfc2560.txt
but it still seems unclear to me.
Wikipedia does mention chained OCSP requests:
http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
The OCSP responder will only check the status of the particular certificate that is specified in the OCSP request. The responder will ignore the rest of the chain.
A browser may choose to send multiple OCSP Requests in order to check each certificate as it traverses up the chain, but this is currently implemented in a browser-dependent manner across the different vendors, and is further confused by the fact that browsers will cache intermediate certificates served by arbitrary SSL servers and re-use them in chains for different leaf certificates. Some browsers will even try and automatically download up-to-date intermediates from third sources, even when the SSL server is sending an older one. However, it should be noted that in general (at present), intermediate-certificates are mostly not set up to have OCSP information, so it is unlikely that they are OCSP-checkable anyway.
On a related note, there is a new part of the spec that allows for a browser to request multiple OCSP checks within the same HTTP post -- with the intention of allowing the intermediates to be checked along with the leaf-- but nothing yet supports this, and this is likely to only be supported on servers that employ OCSP stapling (Apache 2.4+ etc), otherwise the resultant load on a OCSP responder for an intermediate certificate, without stapling, is likely to make it fall straight over. (With an intermediate certificate signing hundreds of thousands of leaves, imagine how hard it would get hit for revocation requests, without the benefit of widespread support of the distributed caching that stapling will bring).
The root certificates, of course, can't be checked by OCSP. They are signed by themselves, so if trust has gone, there's nowhere to look, and you just need to remove the root cert from the client.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With