Understanding OCSP Times and What They Mean for You

The Online Certificate Status Protocol (OCSP) is the fastest protocol we have for verifying certificate status. In a nutshell, here’s how OCSP works: An end user sends a request to the server, requesting certificate status information. Through the Online Certificate Status Protocol, a response is given as one of these four options “Success,” “Unauthorized,” “Malformed Request,” or “Try Later.” These responses indicate the status of the certificate and allow users to verify the security of the sites they’re using. This protocol dramatically streamlined the process of verifying a certificate. By quickening this process, OCSP has become the preferred protocol to obtaining the status of any certificate.

OCSP vs. CRL

If you’re wondering how OCSP has improved response times for certificate status validation, you should first understand how the process worked prior to OCSP.

Before OCSP, Certificate Revocation List (CRL) was the only protocol for verifying certificate status. The CRL protocol, still used by some servers today, is a much more time-consuming process. The Certificate Revocation List is a list that contains all the serial numbers of certificates that have been revoked. These lists, however, need to be updated frequently by the certificate issuer. When the lists become outdated, they are no longer reliable for identifying revoked certificates. Keeping these lists continually updated is tedious, and the CRL process is often faulty due to the chance that revocation lists may not always be up-to-date.

OCSP response times are in real-time. OSCP requests do not require the browser to check through long lists of revoked certificates to find certificate status. Likewise, OCSP requests contain much less information than CRL requests and can therefore be processed much quicker.

What These OCSP Times Mean for You

The OCSP protocol’s real-time responses allow users connect quicker to the server and to efficiently check the validity of the certificates in use. However, the speeds of OCSP times rely on the Certificate Authority through which the certificate is purchased. Because each CA has their own OCSP responder (server), the development and maintenance can vary drastically between CAs.

OCSP server uptime should be a top priority in choosing a certificate issuer. End users should be cautious of companies who do not promote excellent server uptime and short OCSP responses. These metrics drastically affect site speed and page load time, which in turn affects the overall business. In one study, Amazon found that every 100 milliseconds of latency cost 1% in sales. In another study, Google found that just a 30-second delay for search results caused a 20% drop in traffic. The speed and delivery of any secure website is as integral to its success as the security itself. OCSP responses and uptime can make or break a website’s speed and certificate security.

DigiCert is aware of the crucial impact that OCSP times have on any organization’s website security. According to a recent Netcraft report, DigiCert OCSP has an uptime of 100% and response times that are up to 8x faster than other Certificate Authorities. With development teams committed to providing innovative methods to keep OCSP response times quick, DigiCert continues to lead the industry in SSL security.