Today, Go Daddy is joining forces with other leading Certificate Authorities to launch the Certificate Authority Security Council. This group will supplement existing standards-setting organizations such as the CA/Browser Forum by providing education, research, and advocacy on the best practices and use of SSL. I’ve been working with this group for a few months now, and I’m excited about the information we have to share on issues affecting everyone who relies on SSL today. To learn more about the CASC announcement, visit http://bit.ly/VaZNek.
One of the first topics that we want to raise awareness about is OCSP stapling versus standard OCSP.
Online Certificate Status Protocol(OCSP) is the modern method used by Certificate Authorities (CAs) to revoke an SSL certificate that should no longer be trusted. While OCSP is a significant improvement over the legacy approach to revocation known as Certificate Revocation Lists (CRLs), it still has a few downsides. Basically, it requires your browser to connect to a special service provided by the CA every time you load a secure website over https. This slows down the connection, creates a dependency on a service that may not always be available, and creates some privacy concerns because you are effectively telling the CA every website you visit over https.
Surprisingly, an enhancement to OCSP called OCSP stapling offers a simple solution to all of these concerns. OCSP stapling allows the revocation data about an SSL certificate to be included with the certificate on the initial connection to the website rather than a separate connection to the CA. This feature is already supported by IIS and the newest versions of Apache and nginx. So, now we need to get the word out and start using it.
This is a great example of the work that the CASC will be doing to ensure that SSL remains the most proven, reliable, and scalable way to protect Internet transactions.
