80 likes | 87 Views
This profile outlines how clients and servers can use OCSP in pre-production mode, with a minimal implementation for ease of client implementation. It is important in constrained environments, supports cross-WG initiatives, and enables revocation checking in high volume environments like TLS in e-commerce.
E N D
Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon
Goals • Profile how clients and servers use OCSP in its “Response Pre-production” mode. • Profile minimal implementation for ease of client implementation. • Important in constrained environments (reduced bandwidth) • Support cross-WG initiatives to decentralize response distribution. • Important step to support revocation checking in high volume environments like TLS in e-commerce • Use of OCSP in disconnected (catch 22) scenarios (e.g. Need to auth. server to get IP.)
Supports peer WG initiatives • IP Security Protocol (ipsec) • OCSP Extensions to IKEv2 • Transport Layer Security (tls) • TLS Extensions (RFC 3546) • 3.6. Certificate Status Request • EAP-TLS • Kerberos WG (krb-wg) • OCSP Support for PKINIT
Where are we? • VeriSign has public implementation of current draft available. • CoreStreet current client and server supports profile. • Tumbleweed current client and server supports profile. • Microsoft current Longhorn beta (client) supports profile.
Open Issues • nextPublish vs. max-age and ETag • Later appears to be the more accepted route • Remember these are Hints not Policies… • Response validity nesting; clarification of text.
Facts • Internet Explorer, Firefox, Opera, Safari, etc. do not enable revocation checking by default. • Commercial certificate authority CRLs are quite large (800k+ in some important cases) • Use of OCSP in traditional “real time” mode would result in many requests per page, many request per corporation. • The majority of public internet consumers are dial up (~56k), especially true internationally.
Misconceptions • Pre-Production is about optimizing out RSA signs • No, it is about: • Bring revocation data closer to the relying party. • Reduce number of potential failure points in e-commerce transactions with revocation checking enabled. • Enabling catch-22 revocation scenarios. • Deploying cost effective OCSP solutions in suitable environments (inexpensive Geographic distribution).