You have a certificate that you want to verify, as well as the certificate used to issue it (and any others that may be in the certification path), but you need to check that the certificates have not been revoked. One way to do this is to download the CRL from the issuing CA, but an alternative is to check an OCSP responder for an immediate response. Using OCSP allows you to avoid the overhead of downloading a potentially very large CRL file.
Most CAs publish CRLs, but most do not run OCSP responders. A number
of public OCSP responders collect CRLs from a number of different CAs
and are capable of responding for each of them. Such responders are
known as chain
, and they should only be trusted if
their certificate can be verified or if it is trusted
and it contains the
extension with the
bit enabled. A reasonably up-to-date list
of these public responders is available from
http://www.openvalidation.org. For those CAs
that run their own OCSP responders, it’s best to
contact them directly rather than relying on a chain responder,
because the information from a CA’s responder is
more likely to be the most up-to-date.
In Recipe 10.10, we built a lookup table of various CAs that contains information about where their CRLs can be found. You will notice that OCSP responder information is also present for those CAs that have their own. At the time of this writing, the only CA that ...