There Must Be Another Way! Online Certificate Status Protocol (RFC 2560) Real-Time Three Responses Burden Moved to Server
OCSP OCSP Servers: CA Run CA Delegated Trusted Third Parties Client Knows Server Address Client Sends Serial Number Server Sends Signed Response
The Next Problem Knowing Location of Server! System Is Useless So What Can We Do?
A Solution The DNS System Referrals Client Only Needs Address of Any Server! Authority is Delegated The Service Locator Extension Specifics Undefined Not Currently Being Used Signed Response Local Responder or CA Key
So What? OCSP Can Mimic DNS Local Responders Authoritative Responders Root OCSP Servers Nothing Known About Authoritative Responder!
Conclusion Terrorist, Terrorist, Terrorist 9/11, 9/11 God Bless America
References Ron Rivest, Can We Eliminate Certificate Revocation Lists?, Financial Cryptography, 1998. Patrick McDaniel and Aviel Rubin, A Reponse to “Can We Eliminate Certificate Revocation Lists?,” Financial Cryptography, 2000. Serge Egelman, Josh Zaritsky, and Anita Jones, Improved Certificate Revocation with OCSP. M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams, X.509 Internet Public Key Infrastructure: Online Certificate Status Protocol (OCSP), IETF RFC 2560. R. Housley, W. Polk, W. Ford, and D. Solo, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, IETF RFC 2459.