FRAMINGHAM (03/27/2000) - Business-to-business e-commerce companies increasingly use digital certificates - electronic identities issued by trusted institutions - to secure online transactions. This process has created another security need: systems for checking the validity of those certificates.
The Online Certificate Status Protocol (OCSP) is the IETF's emerging standard for checking whether digital certificates are valid at the time of a given transaction. Before OCSP, risk managers had no easy way to double-check a certificate's validity. OCSP lets these managers conduct these checks in real time, saving time and money. It provides e-businesses with a faster, easier and more dependable way of validating digital certificates than the traditional method of downloading and processing certificate revocation lists (CRL).
Issued by certificate authorities, a CRL is a list of invalid certificates and holders. The traditional CRL fetching process is equivalent to poring over a dated computer printout to see if someone's license has been revoked. The CRL processing method can require organizations to configure client PCs to process CRLs from multiple certificate authorities.
CRLs often grow long because a certificate authority hasn't issued them frequently or because of large numbers of revocations or a sizable user base.
Then they become unwieldy and present another problem: Each CRL distribution severely taxes net bandwidth and client processing power. Also, it may take several days for a trading partner to receive notification about a revoked certificate, increasing the potential for a security breach.
OCSP gives users certificate status online in real time. The result is that it is much quicker than CRL processing, without the same logistical headaches and processing overhead.
To immediately check for revocations, an organization's client application forms a request and forwards it to an OCSP responder, a server application in the net that stores up-to-date revocation information. The responder replies with one of three messages about the certificate's validity: "GOOD," "REVOKED" or "UNKNOWN." The OCSP request is protocol-independent, although HTTP is the most common approach.
A certificate authority or other entity provides an OCSP responder to trusted institutions as part of the public-key infrastructure's trust hierarchy. For those using OCSP responders, the best way to obtain that information is to have the certificate authority feed it directly into the responder. Depending upon the relationship between the certificate authority and the OCSP responder, the certificate authority could forward immediate notification of a certificate's revocation, which would then be instantly available to users.
One critical decision involves whether to use responders that store actual certificates and statuses in databases. Often called repositories, these responders give organizations access to more information about certificates and their statuses, so users can make more informed business decisions about a trading partner's trustworthiness. The trade-off is bearing the cost of maintaining the certificate database. In addition to OCSP, repositories may support Lightweight Directory Access Protocol for client application use.
OCSP makes it easy for organizations to link multiple responders to facilitate business-to-business transactions. This means if an organization requests a certificate status from a responder that does not have the information, that responder can obtain the information from another responder. Creating such a web of responders gives trading partners more flexibility to validate "foreign" certificates and conduct business together over the 'Net.
Business-to-business e-commerce organizations may want to tie into an OCSP system capable of transactional data logging and support for billing applications. With a log of every business transaction, the responder can help an organization resolve disputes if someone questions a transaction.
OCSP brings efficiency and cost savings to the certificate validation process and helps organizations enhance their transaction security. Soon, business partners will be able to use the Web to check various attributes associated with the customer's identity such as credit history and billing information in real time.
Peter Lieberwirth is vice president of engineering at CertCo, a business-to-business e-commerce security company in New York. He can be reached at email@example.com.