1 / 8

Lightweight OCSP Profile for High Volume Environments

This profile outlines how clients and servers can use OCSP in pre-production mode, with a minimal implementation for ease of client implementation. It is important in constrained environments, supports cross-WG initiatives, and enables revocation checking in high volume environments like TLS in e-commerce.

jfetzer
Download Presentation

Lightweight OCSP Profile for High Volume Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon

  2. Goals • Profile how clients and servers use OCSP in its “Response Pre-production” mode. • Profile minimal implementation for ease of client implementation. • Important in constrained environments (reduced bandwidth) • Support cross-WG initiatives to decentralize response distribution. • Important step to support revocation checking in high volume environments like TLS in e-commerce • Use of OCSP in disconnected (catch 22) scenarios (e.g. Need to auth. server to get IP.)

  3. Supports peer WG initiatives • IP Security Protocol (ipsec) • OCSP Extensions to IKEv2 • Transport Layer Security (tls) • TLS Extensions (RFC 3546) • 3.6. Certificate Status Request • EAP-TLS • Kerberos WG (krb-wg) • OCSP Support for PKINIT

  4. Where are we? • VeriSign has public implementation of current draft available. • CoreStreet current client and server supports profile. • Tumbleweed current client and server supports profile. • Microsoft current Longhorn beta (client) supports profile.

  5. Open Issues • nextPublish vs. max-age and ETag • Later appears to be the more accepted route • Remember these are Hints not Policies… • Response validity nesting; clarification of text.

  6. Questions?

  7. Facts • Internet Explorer, Firefox, Opera, Safari, etc. do not enable revocation checking by default. • Commercial certificate authority CRLs are quite large (800k+ in some important cases) • Use of OCSP in traditional “real time” mode would result in many requests per page, many request per corporation. • The majority of public internet consumers are dial up (~56k), especially true internationally.

  8. Misconceptions • Pre-Production is about optimizing out RSA signs • No, it is about: • Bring revocation data closer to the relying party. • Reduce number of potential failure points in e-commerce transactions with revocation checking enabled. • Enabling catch-22 revocation scenarios. • Deploying cost effective OCSP solutions in suitable environments (inexpensive Geographic distribution).

More Related