Who uses OCSP?

The on-line certificate status protocol (OCSP) is an alternative to using a certificate revocation list (CRL) to manage digital certificates. A CRL is just a list of what certificates have been revoked, and users need to download this and use it to check whether or not a particular certificate is still valid. CRLs have a few problems that limit their usefulness: they can get fairly large and aren't always updated as often as you might like.

An alternative that can be more appealing is using OCSP. With OCSP a user makes a call to a server to ask for the status of a certificatre. The server then returns a message that tells the status of the certiciate that the userwas asking about. That gets around the problem of distributing a big CRL, but it doesn't necessarily give you more current data that a CRL does because the information that an OCSP server uses to make its decision about a certificate is often a CRL.

Some people like to talk about CRLs as being much like the books of bad credit card numbers that merchants used to use to check credit cards against before processing a transaction. That metaphor probably isn't much good these days because fewer and fewer people remember seeing those printed books in use. I'd guess that nobody on the engineering team for Voltage's payments processing technology has ever seen these, for example.

In any event, exactly how common is OCSP? To find out I used SHODAN, and found 104 OCSP servers worldwide. Of these, more were actually in Germany than in any other country. According to SHODAN, here are the top users of OCSP:

Germany (29 OCSP servers)

US (26 OCSP servers)

Belgium (12 OCSP servers)

Turkey (8 OCSP servers)

UK (5 OCSP servers)

I'm too lazy to actually do the calculation, but it certainly looks like Belgium probably has the most OCSP servers per capita.

[Note: I tried this again after the comment from "Dave" and got slightly different results: 116 servers – with the top being US (31), Germany (31), Belgium (15), Turkey (8), UK (5). A search for "ocsp-response" gave another set of results: 91 servers with the top being  US (29), Germany (26), Turkey (8), UK (5), Sweden (3).]

  • Dave

    Hmm, shouldn’t that query be for “ocsp-response” rather than just OCSP? Also, I think you have the numbers for the top two reversed, I’m getting US = 29, Germany = 26.


Leave a Reply

Your email address will not be published. Required fields are marked *