Protocol of checking in line of certificate

The protocol of checking in line of certificate OCSP ( O nline C ertificate S tatus P rotocol) is a protocol Internet used to validate a numerical Certificat X.509. It is a Standard Internet describes in the RFC 2560. This protocol is an alternative regulating some of the problems arising from the Listes of revocation of certificates (CRL) in a Infrastructure to public keys (PKI). Messages OCSP are encodés in ASN.1 and can be transported by different protocols applicatifs (smtp, LDAP,… but HTTP is most current). Communications OCSP being form " request/réponse" , the waiters OCSP are called responders OCSP .

Centralization of the validation of the certificates

The Validation of the certificates is a task more complex than it does not appear to with it. It is traditionally carried out by the customer of the PKI. A great confidence is thus granted to the customer for this critical treatment. However most of customers PKI carry out their validation in a still incomplete or imperfect way (in 2006). For example, the not-automation of the recovery of the CRL of the navigators Web poses a problem as for the update of information.

OCSP makes it possible to centralize this task within a PKI. In order to validate a certificate, the customer does not have to communicate any more but with only one entity: responder OCSP. One can also speak about authority of validation (GOES for Authorithy Validation).

Favors compared to the CRL

Several reasons can bring to prefer protocol OCSP with the traditional CRL.

• OCSP provides information on the statute of the more up to date certificate.

• With OCSP, the customer does not need more to recover itself the CRL. Sight the sometimes important size of this CRL, that reduces the traffic network.
• the customer does not have to treat itself any more the CRL. That allows the saving in a relatively complex treatment.
• responder OCSP makes it possible to propose mechanisms of invoicing to the salesman, and not with the purchaser
• the CRL can be compared with a " list bad clients" of a bank. That constitutes a nondesirable escape of information.

Other advantages

OCSP has other advantages in term of deployment of the customers and architecture network.

• It is the responder OCSP which recovers the various certificates constitutive of a Chaîne of certificates and the CRL. That simplifies the communications, because the customer does not have inevitably connectivity necessary to their recovery (filtering by a Pare-feu,…).

• responder OCSP validates the increase of the way of certification. The customer thus makes the saving in this other consuming treatment in resources.
• Thanks to the chaining of responders OCSP, the customer does not state that with one responder, worthy of confidence. That saves to the customer more complex communications.

Example of use

1. Alice and Bob is customers of Ivan, the Autorité of certification (AC). They have the certificate of public key of Ivan.

2. Alice and Bob has each one a certificate of public key emitted by Ivan.
3. Alice wants to carry out a transaction with Bob. It thus sends its certificate containing to him its key public.
4. Bob wants to make sure that the certificate of Alice was not revoked. It creates a request OCSP containing the Empreinte of the certificate of Alice and the sending with Ivan.
5. responder OCSP of Ivan checks the statute of the certificate of Alice in the database of CA
6. responder OCSP confirms the validity of the certificate of Alice by sending a positive answer OCSP signed to Bob.
7. Bob checks the cryptographic signature of the answer.
8. Bob carries out its transaction with Alice.

Details of the protocol

2DO by matieux

Existing establishments

2DO by matieux

-->

Concept of operation

This diagram illustrates how request OCSP is formed and sent towards waiter OCSP:

This diagram illustrates how answer OCSP is formed and sent towards customer OCSP: The answer can be: GOOD - REVOKED - UNKNOWN

External bonds

• Open Validation, gate of information on the validation

• Specialized company in the validation/Corestreet
• Customer OCSP for Microsoft (IIS, cd., etc)
• compatible Navigator OCSP: Mozilla Firefox
• Discovered and implementation of protocol OCSP with ocspd
• Implemented of a customer OCSP for Apache/HES Geneva & expert Solutions
• Implementing Online Certificate Status Protocol/Tirthankar Barari

Alternate with OCSP: protocol SCVP

• Internet-Drafts

Random links:

This (the Ardennes) | Åtvidabergs FF | Route 198 (Quebec) | Ensileuse | François Binjé | Ren_Osugi

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org