OCSP (Online Certificate Status Protocol)

A protocol (RFC 6960) for checking in real time whether a TLS certificate has been revoked by its issuing CA, as a more efficient alternative to downloading full Certificate Revocation Lists (CRLs). The client sends a request to the CA's OCSP responder URL embedded in the certificate and receives a signed response of 'good', 'revoked', or 'unknown'. A major limitation is that OCSP checks reveal the websites a client visits to the CA's OCSP server, raising privacy concerns that OCSP Stapling and OCSP Must-Staple were designed to address.