OCSP

Online Certificate Status Protocol

Security →
Introduced in Rel-5

OCSP is an Internet protocol used in 3GPP networks for real-time verification of the revocation status of X.509 digital certificates to ensure secure credential management.

Category
Security
Introduced
Rel-5
Where
Security
Specifications
7 specs
OCSP Description Purpose Related Classification Detected Changes Specifications

Description

The Online Certificate Status Protocol (OCSP) is an IETF standard (RFC 6960) adopted within 3GPP specifications to provide real-time validation of the revocation status of public key certificates. In a Public Key Infrastructure (PKI), certificates can be revoked before their expiration date due to private key compromise or other issues. OCSP provides a more efficient and timely alternative to traditional Certificate Revocation Lists (CRLs). The protocol operates in a client-server model: an OCSP client (known as a requester) sends a status request for a specific certificate to an OCSP responder (server). The responder, which is typically operated by the Certificate Authority (CA) or a delegated entity, checks its revocation database and returns a digitally signed response indicating the certificate's status: 'good', 'revoked', or 'unknown'.

Within 3GPP architectures, OCSP is integrated into various security frameworks. For example, in the Generic Bootstrapping Architecture (GBA), OCSP can be used by network application functions (NAFs) or the Bootstrapping Server Function (BSF) to validate the certificates presented by user equipment (UE) or other network elements. The protocol messages are typically carried over HTTP. An OCSP request contains an identifier for the certificate in question (often a hash of its serial number and issuer name). The OCSP response is signed by the responder's key, and the client must validate this signature using a trusted responder certificate. 3GPP profiles the use of OCSP, specifying mandatory certificate extensions, acceptable cryptographic algorithms, and requirements for response caching to reduce load on the responder.

Its role is critical for maintaining the trust chain in 3GPP security systems that rely on PKI, such as for securing interfaces in 5G Service-Based Architecture (SBA), for authentication in IoT scenarios using credentials like SUCI/SUPI, and for validating certificates in multimedia subsystems. By enabling immediate revocation checking, OCSP mitigates the risk of relying on a compromised certificate, which is a significant security threat. It is a foundational component for dynamic trust management in modern, automated mobile networks.

Purpose & Motivation

OCSP was integrated into 3GPP standards to address the limitations of Certificate Revocation Lists (CRLs) in dynamic mobile environments. CRLs are periodically published lists of all revoked certificates, which clients must download and process. This model has significant drawbacks: it introduces latency (as clients may be using stale lists), consumes bandwidth (especially for large lists), and does not scale well for devices with limited resources. In fast-paced mobile networks where devices roam and services are instantiated on-demand, a near-real-time revocation check is often necessary.

The protocol solves the problem of timely and efficient certificate status validation. It allows a network entity to query the status of a single certificate at the exact moment a trust decision is needed, providing much fresher information than a CRL. This is crucial for security-sensitive operations like initial network access authentication, establishing secure tunnels, or validating software updates. Its adoption in 3GPP was motivated by the increasing reliance on PKI for network function authentication in all-IP architectures (like IMS and 5G SBA) and for securing IoT device credentials. OCSP provides the agility required for automated, zero-touch provisioning and operation in these complex ecosystems, where the security state can change rapidly.

Classification

Part ofPKI

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (26 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-5, normative work from Rel-16.

Rel-16 4 changes

In Release 16, the updates for the OCSP function centered on refining the Service-Based Architecture (SBA) Network Function certificate profile. These changes included making the NF instance identifier mandatory within the certificate profile and correcting the format specification for the `apiRoot` field. Additionally, the general certificate and Certificate Revocation List (CRL) profiles were updated to support these enhancements.

  • Certificate and CRL profile update TS 33.310CR0105
  • SBA Network Function certificate profile TS 33.310CR0110
  • Making NF instance id in SBA certificate profile mandatory to support TS 33.310CR0112
  • Correction to NF Certificate profile: Format of the apiRoot TS 33.310CR0118
Rel-17 12 changes

In Release 17, the OCSP-related updates primarily focused on refining and correcting the X.509 certificate profiles for various Network Functions within the 5G Service-Based Architecture. Specific clarifications and corrections were made regarding the NF certificate profile, the SCP certificate profile, and the SEPP intra-domain certificate profile, including the format of URN strings and callback URIs. Furthermore, a key change was the removal of the keyEncipherment KeyUsage from SBA certificates for enhanced security alignment.

  • Security updates for algorithms and protocols in 33.310 TS 33.310CR0120
  • Security updates for algorithms and protocols for 33.310 TS 33.310CR0124
  • Correct NF certificate profile TS 33.310CR0143
  • Correction of the format of the URN string in the NF certificate profile TS 33.310CR0126
  • Clarification on CN-ID when it is presented in the certificate TS 33.310CR0128
  • Clarification on the format of callback URI in the NF certificate profile TS 33.310CR0132

+ 6 more changes

Rel-18 5 changes

In Release 18, updates to the OCSP function were part of broader enhancements for certificate management in the 5G Service-Based Architecture, specifically focusing on the validation of X.509 certificate usage. The work included clarifications for the SEPP inter-domain certificate profiles and corrections to the SBA certificate specifications, such as fixing the UUID example. These changes aimed to ensure robust application integrity by maintaining valid certificates for authenticating network functions.

  • Certificate Management for 5GC NFs TS 33.310CR0168
  • SBA TLS certificate update TS 33.310CR0151
  • Update to Validation of usage of X.509 certificate TS 33.310CR0172
  • Clarification of SEPP inter-domain certificate profiles TS 33.310CR0167
  • Correcting the UUID example in SBA certificates TS 33.310CR0186
Rel-19 5 changes

In Release 19, the OCSP function was updated with a correction to the validation procedure for the usage of X.509 certificates. Furthermore, the release introduced updates to the Service Based Architecture (SBA) certificate profile. These changes built upon the existing framework for certificate handling and application integrity verification within the MExE device.

  • Automated additions of root CAs certificates using CMP TS 33.310CR0198
  • Automatic Certificate Management Environment (ACME) for the Service Based Architecture (SBA) TS 33.310CR0215
  • Adding MOBILE protocol to inventory list TS 33.938CR0008
  • Correction to validation of usage of X.509 certificate procedure TS 33.310CR0202
  • Updates to the SBA certificate profile TS 33.310CR0204

Explore further

Broader topics and technologies where OCSP plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)Service Based ArchitectureIMS & Voice (VoLTE, VoNR)Encryption & IntegrityLTE / LTE-Advanced
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference OCSP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.057 vj00 Mobile Execution Environment (MExE) Specification Rel-19
TS 33.310 vj50 3GPP Authentication Framework for Network Nodes Rel-19
TS 33.320 vj00 H(e)NB Subsystem Security Architecture Rel-19
TS 33.401 vj10 EPS Security Architecture Rel-19
TS 33.812 v920 M2M Remote Subscription Management Security Rel-9
TR 33.876 vi01 Technical Report on Certificate Management Rel-18
TR 33.938 vj10 3GPP Cryptographic Inventory for 5G Rel-19