OCSP
Online Certificate Status Protocol. RFC 6960 lets a client verify the revocation status of an X.509 certificate in real time.
Definition
OCSP (Online Certificate Status Protocol) is an IETF protocol that lets a client (browser, MTA, AS2 server) query an OCSP responder of the certificate authority to know whether an X.509 certificate is still valid or has been revoked. The response is signed by the CA and includes a timestamp. OCSP is lighter and more up-to-date than CRL revocation lists.
Origin
OCSP was standardised by IETF in RFC 2560 in June 1999, then revised in RFC 6960 in June 2013. The OCSP stapling extension (RFC 6066, 2011) allows the TLS server to directly present a recent OCSP response during the handshake, removing client-side network load. In the EDI context, OCSP is mandatory in PEPPOL to validate every AS4 certificate before exchange.
Example in context
When a PEPPOL Access Point receives an inbound AS4 connection, it verifies the client certificate by querying the OpenPEPPOL OCSP responder (URL carried in the certificate's Authority Information Access extension). If the response returns revoked, the connection is refused and the message rejected before decryption. This check typically adds 100 to 300 ms to each handshake, often justifying an OCSP cache on the AP side.