OCSP

OCSP (Online Certificate Status Protocol, RFC 6960) lets a TLS client ask a Certificate Authority's responder, in real time, whether a certificate has been revoked. The classic deployment had clients query the OCSP responder directly, which was slow and leaked browsing history to the CA. OCSP stapling (the TLS Certificate Status Request extension, RFC 6066 §8) fixed this: the web server periodically fetches a signed OCSP response itself and attaches it to the TLS handshake. The industry has since shifted away from OCSP entirely. Let's Encrypt announced shutdown of its OCSP responders in 2024, with Chrome and Firefox now relying on CRLite-style aggregated revocation lists and progressively shorter certificate lifetimes (90 days, moving to 47 days by 2029).