The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The typical OCSP protocol is on the Internet standards track described in RFC 6960 here . It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using Certificate Revocation Lists (CRLs) in a PKI system. An OCSP responder is a server typically run by the certificate issuer. It is responsible to return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'.
A perfect complement to the DCP Signing Service (DSS), the DCP [Intel] OCSP service provides real-time certificate status information. It can support any Certificate Authority hosted in DSS. When a customer wants to verify the status of certificate, it sends an OCSP request to our OCSP responder. The OCSP responder checks the DSS database and returns an OCSP response indicating the status of the certificate. If the certificate is still valid, the OCSP responder will return status as 'good'. If the certificate is revoked, the OCSP responder will return status as ‘revoked’ otherwise it will return ‘unknown’.
Our OCSP service is highly available and globally geographically distributed for low latency. It is highly versatile to support zero trust technologies such as DICE. Its highly flexible design can provide a quick turnaround to stand up an OCSP responder for our customers.
A high-level description of the OCSP Service looks is described in the diagram below:
If you would like to learn more about DSS Service, please contact us using this page .