eTrust OCSPro FAQs

eTrust OCSPro is a scalable and distributed (OCSP) responder implementation, that allows a client to query the status of a particular certificate from a trusted authority in real time.

What is OCSP?
OCSP is the Online Certificate Status Protocol. The protocol was introduced by The Internet Engineering Task Force (IETF) as a standards-based certificate status checking mechanism that can handle global systems involving thousands of Certificate Authorities (CAs) and millions of certificates.

What is eTrust OCSPro?
eTrust OCSPro is a scalable and distributed (OCSP) responder implementation, that allows a client to query the status of a particular certificate from a trusted authority in real time. It has the powerful ability to deliver application-specific policy processing, distributed and load-balanced throughput management, and strong integration with directory services and related Public Key Infrastructure (PKI) elements.

What are CRLs?
Certificate Revocation Lists. The conventional technique for certificate validation is to obtain a CRL from the issuing Certification Authority.

What are the limitations of CRLs?
CRLs present two significant limitations:

A CRL is provided periodically in a batch mode, so there exists a time window where a revoked certificate will be regarded as valid. For a financial institution, this represents a direct cost as the institution may be liable from the time of notification of private key compromise.

As the number of certificates grows and the number of certificates in the CRL grows, the distribution and management processes associated with CRLs become cumbersome and unscalable. The eTrust OCSPro status checking mechanism can handle global systems involving thousands of Certification Authorities and millions of certificates.

How does OCSPro fit in with a PKI?
Using eTrust OCSPro to provide status information provides significant benefits to all users of PKI systems.

Benefits for System Designers:

eTrust OCSPro can support the complex system rules required to successfully implement PKI systems consisting of multiple companies and/or organizations.

It's extensible. OCSP supports private extensions as part of the status checking process.

Benefits for Businesses:

Allows you to maintain privacy. Publishing Certificate Revocation Lists (CRLs) to potential business partners exposes a partial customer list, and may be seen as a breach of client privacy rights.

Maintain a detailed audit trail of all status transactions.

Customer management. eTrust OCSPro allows certificate status to be maintained in a directory- the central repository for all customer and service information.

Control of the revocation process. Real time status can be maintained by storing status in the directory or issuing CRLs on demand.

Benefits for Clients:

Can be kept simple. The revocation processing is moved from the client to the server.

Compact audit trail. Client use of CRLs requires the entire CRL to be stored to support a single transaction.

Efficient use of bandwidth. Only the required information is transmitted across the network, minimizing costs.