Lightsource Technologies

Home Solutions CoreStreet Distributed On-Line Cert Status Protocol

Distributed On-Line Certificate Status Protocol

E-mail Print PDF
corestreet_logo_r_260x80.jpg   Distributed On-Line Certificate Status
   Protocol (D-OCSP)
                   
D-OCSP -  Distributed OCSP is a CoreStreet technology which further improves the scalability of Traditional OCSP

Unlike traditional OCSP, D-OCSP do not require the protection of Responders. In a Distributed OCSP system, a Validation Authority pre-computes signed OCSP responses for every certificate and distributes these responses to unprotected Responders.

The pre-computed responses contain no secret information, so there's no concern about security being compromised if a given Responder is compromised. The responses are signed and tamper-evident, so the client can verify that the information it receives from a Responder is genuine. Since there is no need to secure each individual Responder, a deployment can include as many Responders as necessary to ensure quick response time to the client. The responses themselves are small and require little bandwidth for transmission, as well as being simple to compute by the Validation Authority. Additionally, Distributed OCSP works with existing deployments as it's based on OCSP which is an already accepted industry standard.

Advantages
  • Small bandwidth between responder and clients 
  • No trusted responders required 
  • Scales to ten million users 
  • Computationally simple (no signing per transaction)
  • Works with all issued certificates 
  • Industry standard
Suitable Applications

A Distributed OCSP solution works well for deployments of anywhere from several thousand to hundreds of millions of users. If a government agency with a number of centers of operation scattered throughout the world wanted to issue smart cards which would allow access to a networked fileserver containing sensitive information, or allow entry to field offices, Distributed OCSP would be an excellent solution.

  docsp.gif

CoreStreet’s Server Validation Extensions (SerVE) provide secure validation of digital certificates for a wide range of secure applications. CoreStreet's (SerVE) acts as a liaison between the requesting client, a responder containing the most recent certificate status, and the requested web application. To establish the validity of a certificate, CoreStreet's (SerVE) requests current certificate status from a responder. The responder then returns an Online Certificate Status Protocol (OCSP) response, establishing the certificate's status. Finally, the application server permits or denies the client access to the requested secure page.

CoreStreet's Server Validation Extension has been designed to complement CoreStreet's Distributed OCSP infrastructure. When used in concert, the two technologies dramatically decrease response times while providing increased security, scalability and availability over first generation OCSP implementations.

Product Information
  Desktop Validation Client 433.22 Kb  
CoreStreet PKI Products