OCSP stapling is a method where a server provides recent certificate status information during the TLS handshake instead of making the client fetch it separately. It matters because certificate status checking is more efficient and private when clients do not all need to query revocation responders directly.
What is OCSP Stapling?
In OCSP stapling, the server obtains signed revocation status from an OCSP responder and includes it in the handshake. This can reduce latency, improve privacy, and lower responder load compared with each client performing its own separate OCSP lookup.
What OCSP Stapling Commonly Supports
Common uses include faster TLS handshakes, privacy-improved certificate validation, better revocation scaling, and web-service trust optimization.
OCSP Stapling vs. Direct Client OCSP Lookup
Direct lookup requires each client to query the OCSP responder. Stapling lets the server provide the signed status response proactively.
Frequently Asked Questions
Why is OCSP stapling beneficial?
Because it reduces client-side latency and avoids exposing individual validation lookups to the responder as often.
Does stapling remove the need for revocation status?
No. It changes how that status is delivered, not whether revocation information matters.
