Validation with
Online Certificate Status Protocoll (OCSP)
To solve
the problems of Certificate Validation
in an efficient manner the PKIX
working group of the IETF
(The Internet Engineering Task Force) proposed a Online
Certificate Status Protocol (OCSP) in June 1999.
This protocol allows a client to request informations regarding
the validity of one or more certificates which will be answered
(and digitally signed) by a so called responder. This method
to do certificate validation implicates two major improvements.
The first and foremost is an efficient risk management
as an OCSP-responder is able to provide real-time status information
to the user. The second improvement that this protocol lessens
the network traffic significantly, as users do not receive
a huge list, needing only a few entries but only get the information
they need. To ensure a maximum compatibility with the various
networks, HTTP is used to transport the request and the response
between a client and the OCSP-responder.
Most e-commerce systems developed a lot of interest in this technolody.
This is not only because OCSP provides real-time validation and
therefore allows them to setup an effective risk management, but
also because of billing issues. The number of OCSP requests as
only communication for every transaction, between seller of a
product in an e-commerce system and a trustcenter can be the basis
for billing per request.
By using this kind of billing system, the seller of a product
in an e-commerce system is billed and not the "buyer"
(end-user) as it is the case by selling certificates.
Details
and Specifications of OCSP can be found at (RFC
2560).
About
PKI
Traditional
way of certificate validation (CRL)
