GlobalSign, DigiCert, Comodo, and NGINX announced a joint effort and a sponsored development contract, to enhance the NGINX open source web server to support OCSP-stapling.
This collaboration further advances the SSL ecosystem by improving the privacy, reliability and revocation checking for all websites using the NGINX web server — currently run by more than 25 percent of the top 1,000 websites, and by 70,000,000 websites on the Internet overall.
“The team at NGINX is delighted that GlobalSign, DigiCert, and Comodo support the OCSP stapling enhancement to the NGINX webserver,” said Igor Sysoev CTO and principal architect at NGINX, “We have been continuously working on enhancements to NGINX that increase performance, reliability and security. With improved SSL functionality we expect the vast majority of our customers to share our enthusiasm for increased safety on the Internet.”
The Online Certificate Status Protocol (OCSP) is used to present the revocation status, or current validity, of an SSL certificate, and provides an alternative to the Certificate Revocation List (CRL) method.
OCSP offers efficiencies when compared to the CRL method, which requires the client, such as a browser, to download potentially large databases of revocation information reflecting the status as of its last publication date. In contrast, OCSP can provide more up-to-date status information by allowing the browser to query the revocation status at the very point of encountering the certificate, without relying on cached information.
OCSP-stapling enhances the basic OCSP method by allowing the presenter of a certificate, such as the website hosting the SSL certificate, to deliver the OCSP response to the browser instead of it being delivered by the issuing CA. By keeping the certificate response within the web host and not with the CA, OCSP-stapling ensures the browser receives the same response performance for the certificate status information as it does for the website content.
This helps to maintain a high-quality user experience and avoids delays otherwise caused by request volume or network congestion that can slow CA response under the standard OCSP method. Compared with basic OCSP, privacy concerns are also addressed, as the CA is no longer receiving revocation requests directly from the browser.
NGINX is the second most popular open source webserver and, according to the W3Techs server survey, is currently used by more than 25 percent of the top 1,000 most visited websites. The new version with full OCSP-stapling support will be available in late August 2012.
IIS on Microsoft Server 2008 and Apache 2.3.6 already support OCSP-stapling; thus, the enhancements to NGINX mean that nearly all webservers can now deploy this critical technology.