NIST and HIPAA require OCSP?

https://www.immuniweb.com/ssl/ is one of several sites that evaluate security for websites and issue "grades". On that site it claims that both NIST and HIPAA standards require OCSP, a feature that is no longer available in LE certficates.

Is this community aware of any upcoming changes in the standards? I miss my "A+" rating from those sites ...

"ImmuniWeb - AI for Application Security" lolz

Anywayz, NIST Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (NIST SP 800-52 Rev. 2):

TLS servers shall be configured with certificates issued by a CA that publishes revocation
information in Online Certificate Status Protocol (OCSP) [63] responses. The CA may
additionally publish revocation information in a certificate revocation list (CRL) [19]. The
source(s) for the revocation information shall be included in the CA-issued certificate in the
appropriate extension to promote interoperability.

I didn't see any "If a CRL is present, then OCSP is not necessary", so it seems that NIST standard indeed mandates OCSP for the server certificate.

Not sure about HIPAA, didn't see any literal reference to a standard for that one.

Agree, but, it's funny ... the NIST Guidelines also describe what TLS Clients should do. And, in those sections it looks like CRL is suitable alternative.

Especially section 4.2.2

4.2.2 Obtaining Revocation Status Information for the Server Certificate
The client shall perform revocation checking of the server certificate. Revocation information can be obtained by the client from one of the following locations:

1. OCSP response or responses in the server’s CertificateStatus message ([29], [54]) (or Certificate message in TLS 1.3);
2. Certificate Revocation List (CRL) or OCSP response in the client’s local certificate store;
3. OCSP response from a locally configured OCSP responder;
4. OCSP response from the OCSP responder location identified in the OCSP field in the Authority Information Access extension in the server certificate; or
5. CRL from the CRL Distribution Point extension in the server certificate.

When the server does not provide the revocation status, the local certificate store does not have the current or a cogent CRL or OCSP response, and the OCSP responder and the CRL distribution point are unavailable or inaccessible at the time of TLS session establishment, the client will either terminate the connection or accept a potentially revoked or compromised certificate. The decision to accept or reject a certificate in this situation should be made according to agency policy.

Also ... excerpt from section 4.5.1

The client shall validate the server certificate ... The revocation status of each certificate in the certification path shall be checked using the Online Certificate Status Protocol (OCSP) or a certificate revocation list (CRL).

Jup, for client certificates that seems to be the case, but not for server certs.

Yeah, so if the optional CRL is present too, a validationg client might choose to ignore the OCSP entirely.. So why it's mandatory then

No, I understand the point that the server certs shall have OCSP and they may optionally have CRL. And, I am pretty sure 4.2.2 is for how TLS Clients handle server certs. I believe section 3 was for Client certs.

In reading the TLS Client obligations 4.2.2 it ends with below. Which gives the client the choice as to how to proceed. I read that as the OCSP / CRL are "best efforts" rather than mandatory. My point was needing to interpret both the Client and the Server sections to fully understand the intention.

That said, I am pretty far outside my lane with NIST so I am curious to hear from other authoritative sources