Wednesday, April 21, 2010

VeriSign checking 2 billion certificates a day now

VeriSign announced last week that 2 billion certificate verification requests were made to, and handled by, its trust infrastructure. Version 3 of  X509 certificates contain an extension for listing a URL to a Certificate Revocation List (CRL) distribution point, where the status of a given certificate can be verified. So for example if you make an SSL connection and wish to check that the server certificate has not been revoked, then your browser can look for a CRL distribution point in the certificate and hand it off to an Online Certificate Status Protocol (OCSP) handler for checking.

Here is a quick overview of the use for OCSP in a typical online transaction scenario (from TORSEC), and you can think of VeriSign acting as the CA and provider of its own OCSP responder

image

In the early days of PKI there was a chicken-and-egg problem in that certificate providers did not make use of the CRL extension because browsers did not make the checks (there was no OCSP), because the certificates did not have a CRL extension, and so on.  But OCSP checks seems alive and well today, made each time a user initiates a smartcard logon, VPN access or Web authentication. In fact, VeriSign has seen OCSP traffic double in less than a year.

Reblog this post [with Zemanta]

1 comment:

boy labyog said...

Do you know where you can buy best but cheap suits? try emensuits as your best suit online store.