Mango OCSP Responder Service

Home » Mango OCSP Responder Service

Mango PKI Publication Schema

Mango CA introduces, The Online Certificate Status Protocol (OCSP) to its PKI that is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was established as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The “request/response” nature of these messages leads to OCSP servers being termed OCSP responders.

Comparison to CRLs:
Since an OCSP response contains less information than a typical CRL (certificate revocation list), OCSP can use networks and client resources more efficiently. Using OCSP, clients do not need to parse CRLs themselves, saving client-side complexity. However, this is balanced by the practical need to maintain a cache. In practice, such considerations are of little consequence, since most applications rely on third-party libraries for all X.509 functions. OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.

Features of Mango CA OCSP:
Implements RFC 2560 and RFC 5019.
One responder can respond for any number of CAs.
Status information stored in SQL database.
Not depending on CRLs. Status information can be updated in real-time.
Plug-in mechanism for custom OCSP extensions.
Highly configurable audit and transaction logging. Suitable for invoicing.
Configurable for requiring signed requests, authorized signers, etc.
Can answer good or unknown to non-existing certificates, with different configuration based on request URI.
Linear scalability for performance and high availability by adding multiple nodes.
High performance, >500 request per second on a single server.
On-line renewal of OCSP responder keys and certificates.