VeriSign announced last week that 2 billion certificate verification requests were made to, and handled by, its trust infrastructure. Version 3 of X509 certificates contain an extension for listing a URL to a Certificate Revocation List (CRL) distribution point, where the status of a given certificate can be verified. So for example if you make an SSL connection and wish to check that the server certificate has not been revoked, then your browser can look for a CRL distribution point in the certificate and hand it off to an Online Certificate Status Protocol (OCSP) handler for checking.
Here is a quick overview of the use for OCSP in a typical online transaction scenario (from TORSEC), and you can think of VeriSign acting as the CA and provider of its own OCSP responder
In the early days of PKI there was a chicken-and-egg problem in that certificate providers did not make use of the CRL extension because browsers did not make the checks (there was no OCSP), because the certificates did not have a CRL extension, and so on. But OCSP checks seems alive and well today, made each time a user initiates a smartcard logon, VPN access or Web authentication. In fact, VeriSign has seen OCSP traffic double in less than a year.
No comments:
Post a Comment