1 / 6

Enhanced OCSP Requirements for Improved Certificate Validation Systems

This document provides updated requirements for Online Certificate Status Protocol (OCSP) to refreshen certificate validation systems. It eliminates the burden of Certificate Revocation List (CRL) distribution and update, focusing on lightweight request/response exchanges. Changes include finishing, added missing sections, reformat, and corrections based on feedback. It discusses updates in architecture, periodic CRL downloads, OCSP protocol enhancements, and trusted responders for improved security. Addressing outstanding issues like signed requests, suspension vs. revocation differentiation, and conveying additional information via OCSP response extensions, this aims to move towards finalizing WG proposals by GGF14.

creidy
Download Presentation

Enhanced OCSP Requirements for Improved Certificate Validation Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OCSP Requirements GGF13

  2. Refreshener • OCSP = Online Certificate Status Protocol (RFC2560) • Removes(?) burden of CRL distribution and update • Clients still have to do path validation! • Lightweight request/response (HTTP)

  3. Changes since last time • Document “finish” applied • Missing sections added • Complete reformat • Corrections based on (marginal) feedback • Last week • Additional comments from Spain

  4. Updated architecture Periodic CRL download OCSP protocol CA Push, Delta CRLs site/organization boundary CA CA OCSPcache CRLcache OCSPclient AuthorizedResponder TrustedResponder CA OCSP client CA CA CA CA PMA TrustedResponder

  5. Outstanding issues • Signed requests • Stronger differentiation on suspension vs revocation • Use of OCSP response extensions to convey additional (validation) information • More wording on Delta CRLs • Notion of a caution period (RFC3125)

  6. Moving forward • Address the Spanish contributions • Move towards WG last call • Have document in public comment before GGF14

More Related