User:Ram Moskovitz/enabling OCSP content
From Wikipedia, the free encyclopedia
This page is a draft - please report any errors or omissions to me. Thanks! - the picture doesn't work..
Nearly 10% of web browsers in use today can check the validity of SSL server credentials in near real-time using OCSP for FREE!
Why should you care? When a Certificate Authority issues a certificate - say to a website, software publisher, or email sender - they do so with a particular policy; that policy defines under what conditions the CA will issue certificates and under what conditions they will revoke them. For example if a software publisher accidentally or maliciously signs a piece of bad software with their certificate then the CA may at the request of the software publisher or as a matter of CA policy revoke that certificate.
So what? If you connect to a web site that has a certificate (ever notice the gold padlock in your browser?) your browser can automatically check to see if that CA that gave that certificate to the web-site has revoked it - perhaps because the web site is doing wrong or had a security compromise. Note that certificates will only be checked for revocation if the CA includes support for OCSP - your browser will figure this out automatically.
Here's how to enable it on a few of the more popular browsers. Caveat: if you are connecting to a WiFi hotspot that blocks OCSP until you've paid you may have trouble connecting. The work aroun dofr now is to disable OCSP until you've established a working connection and then re-enable it. Hopefully the browser providers will work around this by cacheing OCSP queries (IE 7 will).
Contents |
[edit] Mozilla
1 From the Edit menu select Preferences and then choose Privacy & Security
2 Next in the Validation section select Use OCSP to validate only certificates that specify an OCSP service URL and then click OK
[edit] Opera 8.5
As of release 8.5 Opera uses OCSP to check SSL certificates for revocation by default - the first large scale browser to do so for SSL!
[edit] IE7
Microsoft will enable use of OCSP for SSL certificate and Code Signing certificate by default in Internet Explorer 7 running on Vista.
[edit] Netscape 8 & Firefox
1 From the Tools menu select Options and then choose the Advanced sub-section.
2 Next, scroll down to the Validation section, select Use OCSP to validate certificates that specify an OCSP service URL and then click OK
[edit] Mac OS X Safari
Edit your Keychain preferences (Applications/Utilities) so that they match the following screen shot.
