ICS 35.030
CCS L 80
National Standard of the People’s Republic of China
GB/T 19713-2025
Replaces GB/T 19713-2005
Cybersecurity technology -
Public key infrastructure -
Online certificate status protocol
网络安全技术 公钥基础设施
在线证书状态协议
(English Translation)
Issue date:2025-02-28 Implementation date:2025-09-01
Issued by the State Administration for Market Regulation of the People's Republic of China
the Standardization Administration of the People's Republic of China
Contents
Foreword II
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 General provisions 2
5.1 Introduction 2
5.2 Requests 3
5.3 Responses 3
5.4 Exceptions 5
5.5 Time semantics 6
5.6 Pre-generated responses 6
5.7 Delegation of OCSP signing authority 6
5.8 CA key compromise 6
6 Functional requirements 7
6.1 Certificate content requirements 7
6.2 Requirements for accepting signed responses 7
7 Syntax specifications 7
7.1 Conventions 7
7.2 Requests 8
7.3 Responses 11
7.4 Extensions 17
Annex A (Normative) ASN.1 syntax specification for OCSP requests and responses 23
Annex B (Normative) HTTP-Based OCSP requests and responses 32
Annex C (Informative) Examples of ASN.1 syntax messages for OCSP Requests and Responses 35
Annex D (Informative) Security considerations 43
Bibliography 46
Foreword
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This document is drafted in accordance with GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents.
This document replaces GB/T 19713-2005 Information technology - Security techniques - Public key infrastructure - Online certificate status protocol. In addition to structural adjustments and editorial changes, the following main technical changes have been made with respect to GB/T 19713-2005:
a) The sentence "this standard is applicable to various applications and computing environments based on public key infrastructure" has been modified to "this document is applicable to the construction of public key infrastructure and secure applications based on the online certificate status protocol (OCSP), among others" (see Clause 1 hereof; Clause 1 of Edition 2005);
b) A diagram of relationship among the parties in the OCSP protocol has been added to the "General provisions" (see 5.1 hereof; 5.1 of Edition 2005);
c) The term "hash signature of response" has been modified to "digital signature of response" [see 5.3 b) hereof; 5.3 f) of Edition 2005];
d) The scope of use for the "revoked" status has been modified to allow this response status to be used for certificates that have never been issued [see 5.3 d) hereof; 5.3 of Edition 2005];
e) The response requirements for status requests regarding unissued certificates have been added [see 5.3 e) hereof];
f) The scope of use for the unauthorized error response has been modified (see 5.4 hereof; 5.4 of Edition 2005);
g) The definition of the revocationTime semantic has been added (see 5.5 hereof);
h) The support for SM2 and SM3 algorithms has been added (see 7.1 and 7.2 hereof);
i) The definitions of the Signature, Extensions, CertificateSerialNumber, SubjectPublicKeyInfo, Name, AlgorithmIdentifier, and CRLReason structures in the OCSP ASN.1 syntax have been added (see 7.1 hereof);
j) Annotations for the lightweight OCSP request syntax have been added (see 7.2.2 hereof);
k) The requirements for time in the lightweight OCSP protocol have been added (see 7.3.2.1 hereof);
l) The sentence "the locally configured OCSP signing authority entity contains a certificate that matches the certificate whose status is to be verified" has been modified to "the locally configured OCSP responder certificate matches the OCSP responder certificate" (see 7.3.2.2.2 hereof; 7.3.2.2 of Edition 2005);
m) A method for checking the revocation status of authorized responders in a lightweight OCSP environment has been added [see 7.3.2.2.3 d) hereof];
n) The subclause "7.3.2.3 Basic response" has been added, and it has been clarified that the ResponderID field corresponds to the OCSP responder's signature certificate (see 7.3.2.3 hereof);
o) The requirements for the OCSPResponse structure in lightweight OCSP responses have been added [see 7.3.2.3 e) hereof];
p) The subclause "7.3.2.2.4 Certificate status issuance" has been added, describing the standards that OCSP responders shall follow for obtaining certificate status (see 7.3.2.2.4 hereof);
q) Mandatory and optional cryptographic algorithms have been deleted (see 7.4 of Edition 2005);
r) The ASN.1 syntax for Nonce has been modified, and the length range for Nonce has been specified (see 7.4.2 hereof; 7.5.1 of Edition 2005);
s) The standard to be followed for CRL entry extensions has been modified (see 7.4.6 hereof; 7.5.5 of Edition 2005);
t) The "PreferredSignatureAlgorithms" extension has been added, which can be included in the request message to specify the signature algorithm the requester prefers the responder to use, with SM3WithSM2 recommended as the preferred algorithm (see 7.4.8 hereof);
u) The "extended-revoke definition" extension has been added, which indicates that the responder supports the extended use of the "revoked" response for unissued certificates as defined in 5.3 (see 7.4.9 hereof);
v) The ASN.1 module using the 2008 syntax of ASN.1 has been modified to add support for using SM2 and SM3 algorithms (see Annex A hereto; Annex B to Edition 2005); the syntax specification for lightweight OCSP ASN.1 and support for using SM2 and SM3 algorithms have been added (see Annex A hereto);
w) The construction of lightweight OCSP requests and responses has been added (see Annex B.2 hereto);
x) The clause "Security considerations" has been moved from the main text to Annex D, with the content supplemented and improved (see Annex D hereto; Clause 8 of Edition 2005).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This document was proposed by and is under the jurisdiction of SAC/TC 260 National Technical Committee on Cybersecurity of Standardization Administration of China.
The previous editions of this document are as follows:
——This document was first issued as GB/T 19713-2005 in 2005;
——This is the first revision.
Cybersecurity technology - Public key infrastructure - Online certificate status protocol
1 Scope
This document presents a mechanism for querying the status of digital certificates without requesting a certificate revocation list (CRL), that is, online certificate status protocol (OCSP), including the content and syntax specifications of the OCSP.
This document is applicable to the construction of public key infrastructure and secure applications based on the online certificate status protocol (OCSP), among others.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 16263.1 Information technology - ASN.1 encoding rules - Part 1: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
GB/T 19714-2005 Information technology - Security technology - Internet public key infrastructure - Certificate management protocol
GB/T 20518-2018 Information security technology - Public key infrastructure - Digital certificate format
GB/T 25069 Information security techniques - Terminology
GB/T 32915 Information security technology - Randomness test methods for binary sequence
GB/T 33560-2017 Information security technology - Cryptographic application identifier criterion specification
GB/T 35276-2017 Information security technology - SM2 cryptographic algorithm usage specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
requester
entity or device that requests online certificate status query services
3.2
responder
entity or device that provides online certificate status query services
3.3
online certificate status protocol; OCSP
protocol that allows for querying the status of digital certificates without requesting a certificate revocation list (CRL)
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
CA: Certification Authority
HTTP: Hyper Text Transfer Protocol
LDAP: Lightweight Directory Access Protocol
OID: Object ID
PKI: Public Key Infrastructure
SMTP: Simple Mail Transfer Protocol
URI: Uniform Resource Identify
URL: Uniform Resource Locator
5 General provisions
5.1 Introduction
OCSP can provide revocation status for applications requiring immediate certificate status verification; compared with querying CRLs, OCSP can provide more timely revocation status information updates and additional status information, serving as an alternative or supplementary method to the CRL query method.
This document extends the conventional OCSP by incorporating a lightweight OCSP mechanism, designed to accommodate the application requirements of PKI environments at ultra-large scales or those necessitating lightweight solutions to minimize the bandwidth and the processing capabilities of requesters/responders.
The relationship among the OCSP requester, OCSP responder, and CA is illustrated in Figure 1, where the OCSP requester sends a certificate verification request to the OCSP responder, which processes the request and returns response data, while the CA issues certificate status updates to the OCSP responder. This document provides a description of the data and data formats to be exchanged between the OCSP requester and the OCSP responder.
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General provisions
5.1 Introduction
5.2 Requests
5.3 Responses
5.4 Exceptions
5.5 Time semantics
5.6 Pre-generated responses
5.7 Delegation of OCSP signing authority
5.8 CA key compromise
6 Functional requirements
6.1 Certificate content requirements
6.2 Requirements for accepting signed responses
7 Syntax specifications
7.1 Conventions
7.2 Requests
7.3 Responses
7.4 Extensions
Annex A (Normative) ASN.1 syntax specification for OCSP requests and responses
Annex B (Normative) HTTP-Based OCSP requests and responses
Annex C (Informative) Examples of ASN.1 syntax messages for OCSP Requests and Responses
Annex D (Informative) Security considerations
Bibliography
ICS 35.030
CCS L 80
National Standard of the People’s Republic of China
GB/T 19713-2025
Replaces GB/T 19713-2005
Cybersecurity technology -
Public key infrastructure -
Online certificate status protocol
网络安全技术 公钥基础设施
在线证书状态协议
(English Translation)
Issue date:2025-02-28 Implementation date:2025-09-01
Issued by the State Administration for Market Regulation of the People's Republic of China
the Standardization Administration of the People's Republic of China
Contents
Foreword II
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 General provisions 2
5.1 Introduction 2
5.2 Requests 3
5.3 Responses 3
5.4 Exceptions 5
5.5 Time semantics 6
5.6 Pre-generated responses 6
5.7 Delegation of OCSP signing authority 6
5.8 CA key compromise 6
6 Functional requirements 7
6.1 Certificate content requirements 7
6.2 Requirements for accepting signed responses 7
7 Syntax specifications 7
7.1 Conventions 7
7.2 Requests 8
7.3 Responses 11
7.4 Extensions 17
Annex A (Normative) ASN.1 syntax specification for OCSP requests and responses 23
Annex B (Normative) HTTP-Based OCSP requests and responses 32
Annex C (Informative) Examples of ASN.1 syntax messages for OCSP Requests and Responses 35
Annex D (Informative) Security considerations 43
Bibliography 46
Foreword
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This document is drafted in accordance with GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents.
This document replaces GB/T 19713-2005 Information technology - Security techniques - Public key infrastructure - Online certificate status protocol. In addition to structural adjustments and editorial changes, the following main technical changes have been made with respect to GB/T 19713-2005:
a) The sentence "this standard is applicable to various applications and computing environments based on public key infrastructure" has been modified to "this document is applicable to the construction of public key infrastructure and secure applications based on the online certificate status protocol (OCSP), among others" (see Clause 1 hereof; Clause 1 of Edition 2005);
b) A diagram of relationship among the parties in the OCSP protocol has been added to the "General provisions" (see 5.1 hereof; 5.1 of Edition 2005);
c) The term "hash signature of response" has been modified to "digital signature of response" [see 5.3 b) hereof; 5.3 f) of Edition 2005];
d) The scope of use for the "revoked" status has been modified to allow this response status to be used for certificates that have never been issued [see 5.3 d) hereof; 5.3 of Edition 2005];
e) The response requirements for status requests regarding unissued certificates have been added [see 5.3 e) hereof];
f) The scope of use for the unauthorized error response has been modified (see 5.4 hereof; 5.4 of Edition 2005);
g) The definition of the revocationTime semantic has been added (see 5.5 hereof);
h) The support for SM2 and SM3 algorithms has been added (see 7.1 and 7.2 hereof);
i) The definitions of the Signature, Extensions, CertificateSerialNumber, SubjectPublicKeyInfo, Name, AlgorithmIdentifier, and CRLReason structures in the OCSP ASN.1 syntax have been added (see 7.1 hereof);
j) Annotations for the lightweight OCSP request syntax have been added (see 7.2.2 hereof);
k) The requirements for time in the lightweight OCSP protocol have been added (see 7.3.2.1 hereof);
l) The sentence "the locally configured OCSP signing authority entity contains a certificate that matches the certificate whose status is to be verified" has been modified to "the locally configured OCSP responder certificate matches the OCSP responder certificate" (see 7.3.2.2.2 hereof; 7.3.2.2 of Edition 2005);
m) A method for checking the revocation status of authorized responders in a lightweight OCSP environment has been added [see 7.3.2.2.3 d) hereof];
n) The subclause "7.3.2.3 Basic response" has been added, and it has been clarified that the ResponderID field corresponds to the OCSP responder's signature certificate (see 7.3.2.3 hereof);
o) The requirements for the OCSPResponse structure in lightweight OCSP responses have been added [see 7.3.2.3 e) hereof];
p) The subclause "7.3.2.2.4 Certificate status issuance" has been added, describing the standards that OCSP responders shall follow for obtaining certificate status (see 7.3.2.2.4 hereof);
q) Mandatory and optional cryptographic algorithms have been deleted (see 7.4 of Edition 2005);
r) The ASN.1 syntax for Nonce has been modified, and the length range for Nonce has been specified (see 7.4.2 hereof; 7.5.1 of Edition 2005);
s) The standard to be followed for CRL entry extensions has been modified (see 7.4.6 hereof; 7.5.5 of Edition 2005);
t) The "PreferredSignatureAlgorithms" extension has been added, which can be included in the request message to specify the signature algorithm the requester prefers the responder to use, with SM3WithSM2 recommended as the preferred algorithm (see 7.4.8 hereof);
u) The "extended-revoke definition" extension has been added, which indicates that the responder supports the extended use of the "revoked" response for unissued certificates as defined in 5.3 (see 7.4.9 hereof);
v) The ASN.1 module using the 2008 syntax of ASN.1 has been modified to add support for using SM2 and SM3 algorithms (see Annex A hereto; Annex B to Edition 2005); the syntax specification for lightweight OCSP ASN.1 and support for using SM2 and SM3 algorithms have been added (see Annex A hereto);
w) The construction of lightweight OCSP requests and responses has been added (see Annex B.2 hereto);
x) The clause "Security considerations" has been moved from the main text to Annex D, with the content supplemented and improved (see Annex D hereto; Clause 8 of Edition 2005).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This document was proposed by and is under the jurisdiction of SAC/TC 260 National Technical Committee on Cybersecurity of Standardization Administration of China.
The previous editions of this document are as follows:
——This document was first issued as GB/T 19713-2005 in 2005;
——This is the first revision.
Cybersecurity technology - Public key infrastructure - Online certificate status protocol
1 Scope
This document presents a mechanism for querying the status of digital certificates without requesting a certificate revocation list (CRL), that is, online certificate status protocol (OCSP), including the content and syntax specifications of the OCSP.
This document is applicable to the construction of public key infrastructure and secure applications based on the online certificate status protocol (OCSP), among others.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 16263.1 Information technology - ASN.1 encoding rules - Part 1: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
GB/T 19714-2005 Information technology - Security technology - Internet public key infrastructure - Certificate management protocol
GB/T 20518-2018 Information security technology - Public key infrastructure - Digital certificate format
GB/T 25069 Information security techniques - Terminology
GB/T 32915 Information security technology - Randomness test methods for binary sequence
GB/T 33560-2017 Information security technology - Cryptographic application identifier criterion specification
GB/T 35276-2017 Information security technology - SM2 cryptographic algorithm usage specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
requester
entity or device that requests online certificate status query services
3.2
responder
entity or device that provides online certificate status query services
3.3
online certificate status protocol; OCSP
protocol that allows for querying the status of digital certificates without requesting a certificate revocation list (CRL)
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
CA: Certification Authority
HTTP: Hyper Text Transfer Protocol
LDAP: Lightweight Directory Access Protocol
OID: Object ID
PKI: Public Key Infrastructure
SMTP: Simple Mail Transfer Protocol
URI: Uniform Resource Identify
URL: Uniform Resource Locator
5 General provisions
5.1 Introduction
OCSP can provide revocation status for applications requiring immediate certificate status verification; compared with querying CRLs, OCSP can provide more timely revocation status information updates and additional status information, serving as an alternative or supplementary method to the CRL query method.
This document extends the conventional OCSP by incorporating a lightweight OCSP mechanism, designed to accommodate the application requirements of PKI environments at ultra-large scales or those necessitating lightweight solutions to minimize the bandwidth and the processing capabilities of requesters/responders.
The relationship among the OCSP requester, OCSP responder, and CA is illustrated in Figure 1, where the OCSP requester sends a certificate verification request to the OCSP responder, which processes the request and returns response data, while the CA issues certificate status updates to the OCSP responder. This document provides a description of the data and data formats to be exchanged between the OCSP requester and the OCSP responder.
Contents of GB/T 19713-2025
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General provisions
5.1 Introduction
5.2 Requests
5.3 Responses
5.4 Exceptions
5.5 Time semantics
5.6 Pre-generated responses
5.7 Delegation of OCSP signing authority
5.8 CA key compromise
6 Functional requirements
6.1 Certificate content requirements
6.2 Requirements for accepting signed responses
7 Syntax specifications
7.1 Conventions
7.2 Requests
7.3 Responses
7.4 Extensions
Annex A (Normative) ASN.1 syntax specification for OCSP requests and responses
Annex B (Normative) HTTP-Based OCSP requests and responses
Annex C (Informative) Examples of ASN.1 syntax messages for OCSP Requests and Responses
Annex D (Informative) Security considerations
Bibliography
