Lab-05: PQC OCSP
Lab-05: PQC OCSP
Section titled “Lab-05: PQC OCSP”Real-Time Certificate Verification with OCSP
Section titled “Real-Time Certificate Verification with OCSP”Key Message: Real-time certificate verification with OCSP works exactly the same with PQC. Same HTTP protocol, same tools.
Important distinction: OCSP does not revoke certificates. It only reports revocation status. Revocation is a CA operation (see Revocation). OCSP is a distribution mechanism — like asking “is this certificate still valid?” rather than “revoke this certificate.”
The Scenario
Section titled “The Scenario”You have a CRL. But it’s updated every hour. A certificate was revoked 30 seconds ago. Clients don’t know yet.
TIMELINE: The CRL Staleness Problem───────────────────────────────────
03:00 03:30 04:00 04:30 05:00 │ │ │ │ │ ▼ ▼ ▼ ▼ ▼ CRL Cert CRL CRL CRL published REVOKED published published published
↑ │ For 30 min, clients still trust the revoked certificate!“I need real-time certificate status. CRLs are too slow. Does OCSP work with PQC?”
Yes. Same HTTP protocol, same request/response format. Only signature sizes change.
What We’ll Do
Section titled “What We’ll Do”- Create a PQC CA 1b. Issue OCSP responder certificate
- Start OCSP responder 2b. Issue TLS certificate
- Query certificate status (GOOD)
- Revoke the certificate 3b. Query again (REVOKED) 2c. Stop OCSP responder
Run the Demo
Section titled “Run the Demo”./journey/05-ocsp/demo.shThe Commands
Section titled “The Commands”Step 1: Create CA
Section titled “Step 1: Create CA”# Create PQC CA with ML-DSA-65qpki ca init --profile profiles/pqc-ca.yaml \ --var cn="PQC CA" \ --ca-dir output/pqc-ca
qpki ca export --ca-dir output/pqc-ca --out output/pqc-ca/ca.crtStep 1b: Issue OCSP Responder Certificate
Section titled “Step 1b: Issue OCSP Responder Certificate”# Generate OCSP responder key and CSRqpki csr gen --algorithm ml-dsa-65 \ --keyout output/ocsp-responder.key \ --cn "OCSP Responder" \ --out output/ocsp-responder.csr
# Best practice: CA key stays offlineqpki cert issue --ca-dir output/pqc-ca \ --profile profiles/pqc-ocsp-responder.yaml \ --csr output/ocsp-responder.csr \ --out output/ocsp-responder.crtStep 2: Start OCSP Responder
Section titled “Step 2: Start OCSP Responder”# Start with delegated certificate (recommended)qpki ocsp serve --port 8888 --ca-dir output/pqc-ca \ --cert output/ocsp-responder.crt \ --key output/ocsp-responder.keyStep 2b: Issue TLS Certificate
Section titled “Step 2b: Issue TLS Certificate”# Generate TLS server key and CSRqpki csr gen --algorithm ml-dsa-65 \ --keyout output/server.key \ --cn server.example.com \ --out output/server.csr
qpki cert issue --ca-dir output/pqc-ca \ --profile profiles/pqc-tls-server.yaml \ --csr output/server.csr \ --out output/server.crtStep 3: Query Certificate Status (GOOD)
Section titled “Step 3: Query Certificate Status (GOOD)”# Generate OCSP requestqpki ocsp request --issuer output/pqc-ca/ca.crt \ --cert output/server.crt \ --out output/request.ocsp
# Send OCSP request (RFC 6960) - response is immediate, unlike CRLcurl -s -X POST \ -H "Content-Type: application/ocsp-request" \ --data-binary @output/request.ocsp \ http://localhost:8888/ \ -o output/response.ocsp
qpki ocsp info output/response.ocspStep 4: Revoke Certificate
Section titled “Step 4: Revoke Certificate”# Revoke certificateqpki cert revoke <serial> --ca-dir output/pqc-ca --reason keyCompromiseStep 3b: Query Again (REVOKED)
Section titled “Step 3b: Query Again (REVOKED)”# Query again - status changes immediately! (CRL would take hours)curl -s -X POST \ -H "Content-Type: application/ocsp-request" \ --data-binary @output/request.ocsp \ http://localhost:8888/ \ -o output/response2.ocsp
qpki ocsp info output/response2.ocsp# Status: revokedStep 2c: Stop OCSP Responder
Section titled “Step 2c: Stop OCSP Responder”# Stop the OCSP responderqpki ocsp stop --port 8888CRL vs OCSP
Section titled “CRL vs OCSP”| Criteria | CRL | OCSP |
|---|---|---|
| Update | Periodic (hourly/daily) | Real-time |
| Size | Can be large (full list) | Small (one response) |
| Availability | Works offline | Requires network |
| Latency | Local read | Network request |
| Vuln. window | Until next CRL | Nearly zero |
In practice: Use BOTH
- OCSP for real-time checks
- CRL as offline fallback
OCSP Architecture
Section titled “OCSP Architecture”CA-Signed Mode (Simple)
Section titled “CA-Signed Mode (Simple)”┌─────────────┐ ┌──────────────────┐│ Client │ ─── OCSP Request ──► │ OCSP Responder ││ (curl/app) │ ◄── OCSP Response ── │ (qpki ocsp serve) │└─────────────┘ └────────┬─────────┘ │ Signs with CA key (CA key online - risk!)Delegated Responder Mode (Recommended)
Section titled “Delegated Responder Mode (Recommended)”┌─────────────┐ ┌──────────────────┐│ Client │ ─── OCSP Request ──► │ OCSP Responder ││ (curl/app) │ ◄── OCSP Response ── │ (qpki ocsp serve) │└─────────────┘ └────────┬─────────┘ │ Signs with responder key (CA key stays offline!) │ ┌────────▼─────────┐ │ OCSP Responder │ │ Certificate │ │ (id-kp-OCSPSign) │ └──────────────────┘The OCSP responder certificate has:
- Extended Key Usage:
id-kp-OCSPSigning(1.3.6.1.5.5.7.3.9) - OCSP No Check extension (prevents infinite verification loop)
Size Comparison
Section titled “Size Comparison”| Component | Classical (ECDSA) | Post-Quantum (ML-DSA) | Notes |
|---|---|---|---|
| OCSP Request | ~100 bytes | ~100 bytes | Same format |
| OCSP Response | ~300 bytes | ~3,500 bytes | PQC signature larger |
Responses are larger due to ML-DSA signatures, but the protocol is unchanged.
Response Times
Section titled “Response Times”| Operation | Classical | PQC | Notes |
|---|---|---|---|
| Request generation | <1ms | <1ms | Same |
| Network round-trip | ~Xms | ~Xms | Same protocol |
| Signature verification | <1ms | ~2-5ms | ML-DSA slightly slower |
When to Use OCSP
Section titled “When to Use OCSP”| Industry | Use Case | Why Real-Time Matters |
|---|---|---|
| Banking/Finance | Transaction signing | Reject compromised certs instantly |
| E-commerce | Payment processing | Prevent fraud during checkout |
| Healthcare | EHR access | Immediate access revocation |
| Government | Citizen portals | Real-time credential validation |
| Cloud/SaaS | API authentication | Block compromised service accounts |
CRL alone is insufficient when:
- Transactions are high-value (financial, legal)
- Compliance requires real-time status (PCI-DSS, HIPAA)
- Attack window must be minimized (< 1 hour tolerance)
What You Learned
Section titled “What You Learned”- Same HTTP protocol: RFC 6960 works unchanged with PQC
- Delegated responders: Best practice keeps CA keys offline
- Real-time status: Revocation changes are immediate
- Size tradeoff: PQC responses are larger but acceptable
- Drop-in replacement: Existing OCSP clients work with PQC responders
References
Section titled “References”- RFC 6960: Online Certificate Status Protocol (OCSP)
- RFC 5019: Lightweight OCSP Profile
- RFC 6277: OCSP Algorithm Agility