Snowflake uses which protocol to determine certificate revocation during HTTPS connections?

OCSP, the Online Certificate Status Protocol, is used to check certificate revocation during HTTPS. After the certificate chain is validated, the client can query the CA’s OCSP responder to confirm that the certificate hasn’t been revoked. This provides real-time status without needing to download a full revocation list. OCSP responses can be cached and sometimes delivered via stapling by the server to cut down on round-trips during the TLS handshake. TLS is the secure protocol that encrypts the connection, but it doesn’t define how revocation status is obtained—OCSP (or CRLs) handles that part. DNSSEC is unrelated to certificate revocation; it protects DNS integrity. While CRLs are an older method, OCSP offers a more efficient, timely check, which is why it’s used for revocation in HTTPS connections.