GlobalSign, DigiCert, Comodo, and NGINX Improve Online Trust
21st June 2012
Announce a joint effort and a sponsored development contract to enhance the NGINX open source web server to support OCSP-stapling.
GlobalSign, a Certification Authority (CA) and provider of SSL Partner Programs, alongwith DigiCert, Comodo, and NGINX recently announced a joint effort and a sponsored development contract, to enhance the NGINX open source web server to support OCSP-stapling. This collaboration further advances the SSL ecosystem by improving the privacy, reliability and revocation checking for all websites using the NGINX web server.
The company states that the Online Certificate Status Protocol (OCSP) is used to present the revocation status, or current validity, of an SSL Certificate, and provides an alternative to the Certificate Revocation List (CRL) method. OCSP offers efficiencies when compared to the CRL method, which requires the client, such as a browser, to download potentially large databases of revocation information reflecting the status as of its last publication date In contrast, OCSP can provide more up-to-date status information by allowing the browser to query the revocation status at the very point of encountering the certificate, without relying on cached information.
It further states that OCSP-stapling enhances the basic OCSP method by allowing the presenter of a certificate, such as the website hosting the SSL Certificate, to deliver the OCSP response to the browser instead of it being delivered by the issuing CA. By keeping the certificate response within the web host and not with the CA, OCSP-stapling ensures the browser receives the same response performance for the certificate status information as it does for the website content. This helps to maintain a high-quality user experience and avoids delays otherwise caused by request volume or network congestion that can slow CA response under the standard OCSP method. Compared with basic OCSP, privacy concerns are also addressed, as the CA is no longer receiving revocation requests directly from the browser.
The company says that NGINX is the second most popular open source web server and, according to the W3Techs server survey, is currently used by more than 25 percent of the top 1,000 most visited websites. The new version with full OCSP-stapling support will be available in late August 2012. IIS on Microsoft Server 2008 and Apache 2.3.6 already support OCSP-stapling; thus, the enhancements to NGINX mean that nearly all web servers can now deploy this critical technology.
In a collective statement by GlobalSign, DigiCert, and Comodo, Ryan Hurst, Chief Technology Officer of GlobalSign, stated, "By addressing the issues holding back common usage of OCSP, NGINX is contributing toward a unified goal of widespread OCSP adoption across all web servers on the Internet. This project is another major initiative where certification authorities are working closely to improve the ecosystem for everyone relying on SSL for a safer, private and more secure internet experience."
"The team at NGINX is delighted that GlobalSign, DigiCert, and Comodo support the OCSP stapling enhancement to the NGINX web server," said Igor Sysoev, CTO and Principal Architect at NGINX. "We have been continuously working on enhancements to NGINX that increase performance, reliability and security. With improved SSL functionality we expect the vast majority of our customers to share our enthusiasm for increased safety on the Internet."