eTrust OCSPro Provides Scalable and Distributed Certificate Validation Implementation

The scope of business is rapidly expanding to encompass high-value global transactions. These transactions, along with Internet-based corporate data access, demand strongly authenticated security systems, including digital, certificate-based authentication and real-time certificate status validation. The validity of a given certificate is a crucial piece of information that needs to be assessed for any eCommerce transaction. The best approach to certificate validation is to use a protocol that allows a customer to query the status of a particular certificate from a trusted authority in real time. The “conventional” technique for determining status is to obtain a certificate revocation list (CRL) from the issuing certification authority — an approach that presents two significant limitations:

— The CRL may be provided periodically in a batch mode, leaving a time window open, where a revoked certificate will be regarded as valid.

— As the number of certificates in the CRL grows, the distribution and management processes associated with CRLs become cumbersome and cannot be scaled.

To overcome these limitations, the Internet Engineering Task Force (IETF) introduced the Online Certificate Status Protocol (OCSP) — a standards-based status checking mechanism that handles global systems involving thousands of certification authorities and millions of certificates.

Background on Certificate-Based Authentication Systems

The security components of contemporary IT systems are transitioning from password-based authentication techniques to standards-based certificate systems. A significant prerequisite for certificate-based authentication systems is PKI, which is founded on a main element of the ISO X.500 directory standard known as X.509 Authentication Framework. The key components in any PKI are the issuance process, the status process and the usage service. The issuance process is managed by a certificate authority, which is a trusted entity responsible for issuing X.509 certificates. At the time of a transaction or usage, the certificates are used to secure the actual exchange of information between the two contracting parties. Another important element in the process is to validate the usefulness of the certificate to a particular transaction. This is called status checking and is typically handled by an electronic inquiry. The specific function of eTrust OCSPro is to check the real-time status of a certificate within a PKI framework.

Taking OCSP to a New Level of Functionality

eTrust OCSPro is the only commercial OCSP responder that can be configured to meet  unique organizational, geographic and legal requirements. Its expansive configuration capabilities allow the product to be successfully deployed within large-scale distributed infrastructures.  eTrust OCSPro provides benefits to all users of PKI systems:

• Increases operational efficiency for system designers by supporting the complex system rules required to successfully implement PKI systems consisting of multiple organizations

• Maintains privacy by not publishing CRLs; exposing a user list may be seen as a breach of customer privacy rights

• Improves customer management by allowing certificate status to be maintained in a directory — the central repository for all customer and service information

• Increases accountability by maintaining a detailed audit trail of all status transactions

• Minimizes costs by efficiently using bandwidth — only required information is transmitted across the network

Distinctive Functionalities

Real-Time Status Through Integration With eTrust Directory.  eTrust OCSPro is fully integrated with eTrust Directory, enabling status lookup to be provided in real time. Since CRLs may only be issued periodically, there is a possible lag between the CRL issue time and the information actually being used.

User-Defined Policies. eTrust OCSPro is the only commercially available OCSP responder that supports user-defined policies. The policy to be used for any given request is determined by attributes of the request. Each policy then defines how the request will be processed. All aspects of the response may be controlled within the policy, allowing the method of status checking to be determined on a per-request basis. Other attributes of the response can also be set on a per-request basis, including responder ID, signing certificate, SSL certificate (when chaining) and signature algorithm.

Detailed Statistics. eTrust OCSPro maintains detailed logs and statistics. These help organizations ensure that Service Level Agreements are being met, identify performance bottlenecks, take corrective action before it becomes critical, quickly and easily resolve problems if they occur, and collect the information required to accurately undertake capacity planning.

Advanced Functionality and Configuration Capability. eTrust OCSPro supports a highly scalable, advanced architecture offering expansive configuration capabilities and the flexibility for system integrators involved with PKI deployment.

Compact Audit Trail. The compact audit trail of eTrust OCSPro does not require that entire CRLs or CRL references be stored to support single transactions.

Support for Multi-Party Authentication Systems. eTrust OCSPro offers comprehensive support for distributed multi-party authentication systems provided by Trust Services Associations, such as Identrus. Features include chaining and multiple policies, as well as load sharing for performance enhancement and improved availability.