If you have code like the following: is OCSP used for the 'online' revocation check?
X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
ch.Build (certificate);
The API documentation is not explicit about this, saying:
"A revocation check is made using an online certificate revocation list (CRL)."
but not giving any details of how the check is made
The X509Chain.Buld
methods checks if the property szOID_AUTHORITY_INFO_ACCESS
has a value - I know this is where OCSP URLs are stored so again this would suggest that OCSP is being used
Build then calls BuildChain and there is a call is made to CertGeCertificateChain, passing a revocation flags unsigned int.
The documentation for GetCertificateChain gives the possible flags that can be passed in, including CERT_CHAIN_REVOCATION_CHECK_OCSP_CERT:
"This flag is used internally during chain building for an online certificate status protocol (OCSP) signer certificate to prevent cyclic revocation checks. During chain building, if the OCSP response is signed by an independent OCSP signer, then, in addition to the original chain build, there is a second chain built for the OCSP signer certificate itself. This flag is used during this second chain build to inhibit a recursive independent OCSP signer certificate. If the signer certificate contains the szOID_PKIX_OCSP_NOCHECK extension, revocation checking is skipped for the leaf signer certificate. Both OCSP and CRL checking are allowed."
Since a flag exists to 'inhibit' OCSP checking, I am thinking that it does happen - but again it would be nice to get an explicit confirmation of this