OCSP for X.509 certificate revocation checking

The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with certificate revocation lists (CRLs), and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.

For Domino®, OCSP checks are only made during S/MIME signature verification by the Notes® client. Revoked certificates generate an error message to the user, and all OCSP transaction information is placed in the client's local LOG.NSF database. Users have the option of accepting the revoked certificate.

To take advantage of this feature, a non-Domino OCSP responder must be available within the organization to perform signature verification.

OCSP is enabled by policy, through a setting on the Keys and Certificates tab of the Security Policy Settings document.