Is the OCSP Responder checking certificate status against CRL/DeltaCRL or CA Database? If it's against CRL/DeltaCRL isn't there still the possibility that the OCSP response will be valid although a certificate may have been revoked? Thanks, Paul

Per rfc 2560 which defines ocsp, the response HAS to be definitive. Hence the responder will be accessing certificate database file CAname.edb to reply to ocsp queries. You can see where you db is located by typing certutil -databaselocations

On Fri, 27 May 2011 23:36:03 +0000, adelatorre wrote: Per rfc 2560 which defines ocsp, the response HAS to be definitive.? Hence the responder will be?accessing certificate database file CAname.edb to reply to ocsp queries. You're not reading the RFC correctly, and that's not the way that Microsoft's OCSP solution works: http://technet.microsoft.com/en-us/library/cc731001.aspx Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Programming just with goto's is like swatting flies with a sledgehammer.

Paul, Thanks for the clarification. If Microsoft's implementation of OCSP is utilizing CRL, it seems the only advantage from a revocation check perspective is smaller network traffic whereas CRL size will continually grow. Can you please clarify a few things for me. The article you reference states: 4.) ............."most recent CRL issued by the CA". 5.) "If the certificate does not appear on the local or cached revocation lists, the revocation provider obtains an updated CA CRL,"....... Is the revocation provider somehow instructing the CA to generate an updated CRL prior to the current CRL expiration period (certutil -CRL)? Lastly, the Windows Server 2008 PKI & Certificate Security book by Brian Komar states on page 212 that: " An OCSP responder can be configured to either directly query the CA database to determine or download CRL's....." How is this accomplished? Thank you, PTH

Per your last point, this is talking about OCSP servers in general. Microsoft uses CRLs to make the revocation decision. Tumbleweed uses a direct connection to the CA database What you need to remember is that the 2008/2008R2 OCSP responders are built to increase performance of revocation checking, not the timeliness of the revocation response. The OCSP server will never get the CA to publish a new CRL. If there is no cached CRL, then the Online Responder will check to see if an updated CRL exists. Brian