The OSCP Must-Staple solution can help resolve the OSCP problem. If the Web server could securely
tell the browser that it supported OCSP Stapling, then the browser would know to expect an OCSPstapled
response. And if no response was received, the browser could hard-fail.
The website administrator has to determine if their site will support OCSP Must-Staple. First, they will
have to have their website support OCSP stapling, then they must add the OCSP Must-Staple flag. The
design is not finalized, but the OCSP Must-Staple flag can be implemented in two ways:
1. Must-Staple Assertion in the SSL Certificate
2. Must-Staple Assertion in the SSL Header
OCSP Must-Staple removes most of the issues with traditional revocation checking and allows the
browsers to implement a hard-fail policy. Although there are some cons listed, these are basically
items that will be resolved as the deployed browsers and Web servers support OCSP Stapling and
Must-Staple
OCSP means that Online Certificate Status Protocol. It's a protocol for determining whether a ceretificate is revoked. Every time browser is connect with https website, it connect the OSCP in the SSL certificate, and ask if the certificate is revoked the browser is block the page from the loading.
+ OCSP Must-Staple (assertion in certificate) : The flag is implemented as a specific object identifier (OID) extension in the SSL certificate
-> Pros : No “first visit” problem – all connections to the Web Server carry the Must-Staple flag.
-> Cons : Web server needs a certificate issued with the OCSP Must-Staple flag.
+ OCSP Must-Staple (assertion in HTTP Response) : The flag is implemented as an HTTP Response Header
-> Pros : Works with existing SSL certificate.
-> Cons : “First visit” problem
OCSP Must-Staple removes most of the issues with traditional revocation checking, and allows the browsers to implement a hard-fail policy. Although there are some cons listed, these are basically items that will be resolved as the deployed browsers and Web servers support OCSP Stapling and Must-Staple.
Currently, all of the new desktop browsers support OCSP stapling. Regarding Web servers, Microsoft IIS by default supports OCSP Stapling and versions of Apache and Nginx can be configured to support OCSP Stapling. Other servers such as F5 will soon support OCSP Stapling as well.