What is OCSP?
The Online Certificate Status Protocol (OCSP) is the protocol used by browsers to obtain the revocation status of a digital certificate attached to a website. Naturally OCSP speed is considered one of the main criteria for quality, as browsers reach out to webservers and confirm that the SSL certificate is valid.
It is the first criteria, but certainly not the only one. Most of the major Certificate Authorities (CAs) measure similarly in OCSP speeds according to reputable third party tests, some trending slightly lower or higher. Mindful investments in infrastructure and architecture keep the speed battle going, and competition is fierce. But there are four aspects to OCSP and the whole SSL certificate verification structure that should be considered, and held equal in importance.
A second factor is reliability. When a Certificate Authority is tricked into issuing a legitimate SSL certificate for third party fraudulent activities, the entire industry can suffer a loss of trust. A few years ago, DigiNotar went out of business after they had a reliability failure when an attacker obtained fraudulent certificates for several dozen Internet domains. In return, the major Web browser vendors had to remove all trust from DigiNotar’s certificates, and the CA folded. Reliability creates trust. A CA needs reliable, audited business practices for authentication and revocation alike.
Availability is the simplest to talk about to a lay person: Either a site is up or it's down. Either an OCSP response returns or it does not. These are simple concepts, but reputation can still play a factor. If your company is known to have major outages, and by major let's define longer than 10 minutes at a time, your reputation for availability will start to suffer. There are sites dedicated to tracking the uptime of various vendors for online availability, so clearly it matters to consumers and businesses alike.
Fourth there's security, both physical and logical. To maintain a public CA, your physical and logical security must be beyond reproach. Your business continuity and disaster planning has to be extensive. CAs invest in security infrastructure, building or buying malware-protection systems, conducting regular audits, and run vulnerability assessments to cover all known vectors of attack. Multi-layer security and continuous monitoring is expensive, but a necessary part of overhead to protect the integrity of the business and the consumer.
Smaller and local CAs globally often discover that the overhead and expense of running a mainstream commercial CA is too high, and sometimes they go out of business. But none of these four core components to OCSP, or indeed the whole commercial CA security ecosystem, can be sacrificed for any other and still maintain a web of trust on the internet.
Read more about PKI, OCSP, and best practices HERE.
The Online Trust Alliance has published a whitepaper on CA best practices as well HERE.