Search results
Results from the WOW.Com Content Network
Since an OCSP response has less data to parse, the client-side libraries that handle it can be less complex than those that handle CRLs. [11] OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information. [2]
OCSP stapling is designed to reduce the cost of an OCSP validation, both for the client and the OCSP responder, especially for large sites serving many simultaneous users. However, OCSP stapling supports only one OCSP response at a time, which is insufficient for certificate chains with intermediate CA certs.
OCSP suffers from scalability issues. It relies on the client having network access at the time of checking the certificate's revocation status; further, the OCSP responder must be accessible and produce usable responses, or else the check will fail and the client must choose between failing-soft and failing-hard.
An alternative to using CRLs is the certificate validation protocol known as Online Certificate Status Protocol (OCSP). OCSP has the primary benefit of requiring less network bandwidth, enabling real-time and near real-time status checks for high volume or high-value operations.
To reduce the amount of network traffic required for certificate validation, the OCSP protocol may be used instead. While a validation authority is capable of responding to a network-based request for a CRL, it lacks the ability to issue or revoke certificates.
XiPKI, [36] CA and OCSP responder. With SHA-3 support, implemented in Java. (Apache licensed) XCA [37] is a graphical interface, and database. XCA uses OpenSSL for the underlying PKI operations. DogTag is a full featured CA developed and maintained as part of the Fedora Project.
Get AOL Mail for FREE! Manage your email like never before with travel, photo & document views. Personalize your inbox with themes & tabs. You've Got Mail!
The SCVP server's response contains a set of certificates making up a valid path between the certificate in question and one of the trusted certificates. The response may also contain proof of revocation status, such as OCSP responses, for the certificates in the path. Once a certification path has been constructed, it needs to be validated.