Abstract
A PKI (public key infrastructure) provides for a digital certificate that can identify an individual or an organization. However, the existence of a certificate is a necessary but not sufficient evidence for its validity. The PKI needs to provide applications that use certificates with the ability to validate, at the time of usage, that a certificate is still valid (not revoked). One of the two standard protocols to check the revocation status of certificates is the Online Certificate Status Protocol (OCSP). In this article, we propose an OCSP-based implementation that enhances the performance of standard OCSP. In particular, we put special emphasis on those issues that affect security and performance when the validation service is deployed in a real scenario. Finally, we provide experimental results that show that our implementation outperforms standard OCSP.
Similar content being viewed by others
References
Housley, R., Polk, W., Ford, W., & Solo, D. (2002). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280, Internet Engineering Task Force, April 2002.
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., & Polk, W. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, Internet Engineering Task Force, May 2008.
ITU/ISO Recommendation X. 509 (1997). Information technology Open Systems Interconnection—The Directory: Public Key and Attribute Certificate Frameworks.
Myers, M., Ankney, R., Malpani, A., Galperin, S., & Adams, C. (1999). X.509 Internet Public Key Infrastructure Online Certificate Status Protocol—OCSP. RFC 2560, Internet Engineering Task Force, June 1999.
Muñoz, J. L., Esparza, O., Forné, J., & Pallares, E. (2008). H-OCSP: A protocol to reduce the processing burden in online certificate status validation. Electronic Commerce Research (ECR).
Muñoz, J. L., Forné, J., Esparza, O., & Soriano, M. (2004). Cervantes. A certificate validation test-bed. In LNCS: Vol. 3093. Public key infrastructure (pp. 28–42). Berlin: Springer.
Even, S., Goldreich, O., & Micali, S. (1996). Online/offline signatures. Journal of Cryptology, 9, 35–67.
Deacon, A., & Hurst, R. (2007). The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments. RFC 5019, Internet Engineering Task Force, September 2007.
Kuzmanovic, A., & Knightly, E. W. (2003). Low-rate TCP-targeted denial of service attacks: The shrew vs. the mice and elephants. In ACM SIGCOMM, August 2003.
Kocher, P. C. (1998). On certificate revocation and validation. In LNCS: Vol. 1465. International conference on financial cryptography (pp. 172–177). Berlin: Springer.
Aho, A. V., Hopcroft, J. E., & Ullman, J. D. (1988). Data structures and algorithms. Reading: Addison-Wesley.
Kikuchi, H., Abe, K., & Nakanishi, S. (2000). Performance evaluation of public-key certificate revocation system with balanced hash tree. In Second international workshop on information security (ISW 99) (pp. 103–117). Berlin: Springer.
Kikuchi, H., Abe, K., & Nakanishi, S. (2001). Certificate revocation protocol using k-ary hash tree. IEICE Transactions on Communications, 8, 2026–2032.
Naor, M., & Nissim, K. (2000). Certificate revocation and certificate update. IEEE Journal on Selected Areas in Communications, 18(4), 561–560.
Muñoz, J. L., Forné, J., Esparza, O., & Soriano, M. (2004). Certificate revocation system implementation based on the Merkle hash tree. International Journal of Information Security (IJIS), 2(2), 110–124.
Goodrich, M., & Tamassia, R. (2000). Efficient authenticated dictionaries with skip lists and commutative hashing. Technical report, Johns Hopkins Information Security Institute.
Micali, S. (2002). NOVOMODO. Scalable certificate validation and simplified PKI management. In 1st annual PKI research workshop (pp. 15–25).
Micali, S. (1996). Efficient certificate revocation. Technical report TM-542b, MIT Laboratory for Computer Science.
Zhou, J., Bao, F., & Deng, R. (2006). Minimizing TTP’s involvement in signature validation. International Journal of Information Security (IJIS), 5(1), 37–47.
Koga, S., Ryou, J., & Sakurai, K. (2004). Pre-production methods of a response to certificates with the common status—design and theoretical evaluation. In LNCS: Vol. 3093. EuroPKI (pp. 85–97). Berlin: Springer.
Iliadis, J., Gritzalis, S., Spinellis, D., Cock, D., Preneel, B., & Gritzalis, D. (2003). Towards a framework for evaluating certificate status information mechanisms. Computer Communications, 26(16), 1839–1850.
Berkovits, S., Chokhani, S., Furlong, J., Geiter, J., & Guild, J. (1994). Public key infrastructure study: Final report. Technical report, The MITRE Corporation for NIST.
Arnes, A. (2000). Public key certificate revocation schemes. Master Thesis, Queen’s University, Ontario, Canada, February 2000.
Perlines Hormann, T., Wrona, K., & Holtmanns, S. (2006). Evaluation of certificate validation mechanisms. Computer Communications, 29(3), 291–305.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Muñoz, J.L., Esparza, O., Forné, J. et al. Design and implementation of a lightweight online certificate validation service. Telecommun Syst 41, 229–241 (2009). https://doi.org/10.1007/s11235-009-9144-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-009-9144-2