Is the Web Ready for OCSP Must-Staple?

Taejoong Chung, Jay Lok, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, John Rula, Nick Sullivan, Christo Wilson

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


TLS, the de facto standard protocol for securing communications over the Internet, relies on a hierarchy of certificates that bind names to public keys. Naturally, ensuring that the communicating parties are using only valid certificates is a necessary first step in order to benefit from the security of TLS. To this end, most certificates and clients support OCSP, a protocol for querying a certificate's revocation status and confirming that it is still valid. Unfortunately, however, OCSP has been criticized for its slow performance, unreliability, soft-failures, and privacy issues. To address these issues, the OCSP Must-Staple certificate extension was introduced, which requires web servers to provide OCSP responses to clients during the TLS handshake, making revocation checks low-cost for clients. Whether all of the players in the web's PKI are ready to support OCSP Must-Staple, however, remains still an open question.In this paper, we take a broad look at the web's PKI and determine if all components involved---namely, certificate authorities, web server administrators, and web browsers---are ready to support OCSP Must-Staple. We find that each component does not yet fully support OCSP Must-Staple: OCSP responders are still not fully reliable, and most major web browsers and web server implementations do not fully support OCSP Must-Staple. On the bright side, only a few players need to take action to make it possible for web server administrators to begin relying on certificates with OCSP Must-Staple. Thus, we believe a much wider deployment of OCSP Must-Staple is an realistic and achievable goal.
Original languageEnglish
Title of host publicationProceedings of the Internet Measurement Conference 2018
Place of PublicationNew York, NY, USA
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450356190
ISBN (Print)9781450356190
Publication statusPublished - 2018

Publication series

NameIMC '18
PublisherAssociation for Computing Machinery


We thank the anonymous reviewers and our shepherd, Brian Tram-mell, for their helpful comments. This research was supported in part by NSF grants CNS-1409249, CNS-1563320, and CNS-1564143, and made possible by Akamai Technologies and Cloudflare.

FundersFunder number
National Science FoundationCNS-1563320, CNS-1409249, CNS-1564143
National Science Foundation


    • Public Key Infrastructure
    • PKI
    • HTTPS
    • OCSP


    Dive into the research topics of 'Is the Web Ready for OCSP Must-Staple?'. Together they form a unique fingerprint.

    Cite this