Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon.

Published byBaby Tabb Modified over 9 years ago

Similar presentations

Presentation on theme: "Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon."— Presentation transcript:

1 Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon

2 Goals Profile how clients and servers use OCSP in its “Response Pre-production” mode.OCSP Profile minimal implementation for ease of client implementation. –Important in constrained environments (reduced bandwidth) Support cross-WG initiatives to decentralize response distribution. –Important step to support revocation checking in high volume environments like TLS in e-commerce Use of OCSP in disconnected (catch 22) scenarios (e.g. Need to auth. server to get IP.)

3 Supports peer WG initiatives IP Security Protocol (ipsec)ipsec –OCSP Extensions to IKEv2OCSP Extensions to IKEv2 Transport Layer Security (tls)tls –TLS Extensions (RFC 3546)RFC 3546 3.6. Certificate Status Request –EAP-TLS Kerberos WG (krb-wg)krb-wg –OCSP Support for PKINITOCSP Support for PKINIT

4 Where are we? VeriSign has public implementation of current draft available.VeriSign CoreStreet current client and server supports profile.CoreStreet Tumbleweed current client and server supports profile.Tumbleweed Microsoft current Longhorn beta (client) supports profile.

5 Open Issues nextPublish vs. max-age and ETag –Later appears to be the more accepted route –Remember these are Hints not Policies… Response validity nesting; clarification of text.

6 Questions?

7 Facts Internet Explorer, Firefox, Opera, Safari, etc. do not enable revocation checking by default. Commercial certificate authority CRLs are quite large (800k+ in some important cases) Use of OCSP in traditional “real time” mode would result in many requests per page, many request per corporation. The majority of public internet consumers are dial up (~56k), especially true internationally.

8 Misconceptions Pre-Production is about optimizing out RSA signs –No, it is about: Bring revocation data closer to the relying party. Reduce number of potential failure points in e- commerce transactions with revocation checking enabled. Enabling catch-22 revocation scenarios. Deploying cost effective OCSP solutions in suitable environments (inexpensive Geographic distribution).

Download ppt "Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon."

Similar presentations

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Lecture 22 Internet Security Protocols and Standards

Lecture 22 Internet Security Protocols and Standards
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Similar presentations

Ads by Google