The revocation check problem
A certificate can be revoked before it expires, so clients need a way to confirm it is still valid. The Online Certificate Status Protocol lets a client ask the certificate authority whether a certificate is good. Done naively, the client contacts the authority directly, which adds latency and leaks which sites the user visits to the authority.
How stapling helps
With OCSP stapling, the server does the revocation check itself on a schedule and attaches the signed, timestamped response to the TLS handshake.
- The server periodically queries the authority for a fresh status.
- It caches the signed response, called the staple.
- During the handshake it includes the staple, so the client trusts it without contacting the authority.
Because the response is signed by the authority and carries a validity window, the server cannot forge a good status for a revoked certificate. Must staple is a certificate extension that tells clients to reject the connection if no staple is present, closing the gap where an attacker simply omits the response.
Key idea
OCSP stapling has the server fetch and attach a signed revocation status to the handshake, removing the client's privacy leaking round trip to the authority.