Presentation on theme: "Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon."— Presentation transcript:
Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon
Goals Profile how clients and servers use OCSP in its “Response Pre-production” mode.OCSP Profile minimal implementation for ease of client implementation. –Important in constrained environments (reduced bandwidth) Support cross-WG initiatives to decentralize response distribution. –Important step to support revocation checking in high volume environments like TLS in e-commerce Use of OCSP in disconnected (catch 22) scenarios (e.g. Need to auth. server to get IP.)
Supports peer WG initiatives IP Security Protocol (ipsec)ipsec –OCSP Extensions to IKEv2OCSP Extensions to IKEv2 Transport Layer Security (tls)tls –TLS Extensions (RFC 3546)RFC 3546 3.6. Certificate Status Request –EAP-TLS Kerberos WG (krb-wg)krb-wg –OCSP Support for PKINITOCSP Support for PKINIT
Where are we? VeriSign has public implementation of current draft available.VeriSign CoreStreet current client and server supports profile.CoreStreet Tumbleweed current client and server supports profile.Tumbleweed Microsoft current Longhorn beta (client) supports profile.
Open Issues nextPublish vs. max-age and ETag –Later appears to be the more accepted route –Remember these are Hints not Policies… Response validity nesting; clarification of text.
Facts Internet Explorer, Firefox, Opera, Safari, etc. do not enable revocation checking by default. Commercial certificate authority CRLs are quite large (800k+ in some important cases) Use of OCSP in traditional “real time” mode would result in many requests per page, many request per corporation. The majority of public internet consumers are dial up (~56k), especially true internationally.
Misconceptions Pre-Production is about optimizing out RSA signs –No, it is about: Bring revocation data closer to the relying party. Reduce number of potential failure points in e- commerce transactions with revocation checking enabled. Enabling catch-22 revocation scenarios. Deploying cost effective OCSP solutions in suitable environments (inexpensive Geographic distribution).