Lightweight OCSP Profile for High Volume Environments - PowerPoint PPT Presentation

About This Presentation
Title:

Lightweight OCSP Profile for High Volume Environments

Description:

Lightweight OCSP Profile for High Volume Environments November 10, 2004 Ryan M. Hurst Alex Deacon Goals Profile how clients and servers use OCSP in its Response ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 9
Provided by: RyanM53
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Lightweight OCSP Profile for High Volume Environments


1
Lightweight OCSP Profile for High Volume
Environments
  • November 10, 2004
  • Ryan M. Hurst
  • Alex Deacon

2
Goals
  • Profile how clients and servers use OCSP in its
    Response Pre-production mode.
  • Profile minimal implementation for ease of client
    implementation.
  • Important in constrained environments (reduced
    bandwidth)
  • Support cross-WG initiatives to decentralize
    response distribution.
  • Important step to support revocation checking in
    high volume environments like TLS in e-commerce
  • Use of OCSP in disconnected (catch 22) scenarios
    (e.g. Need to auth. server to get IP.)

3
Supports peer WG initiatives
  • IP Security Protocol (ipsec)
  • OCSP Extensions to IKEv2
  • Transport Layer Security (tls)
  • TLS Extensions (RFC 3546)
  • 3.6. Certificate Status Request
  • EAP-TLS
  • Kerberos WG (krb-wg)
  • OCSP Support for PKINIT

4
Where are we?
  • VeriSign has public implementation of current
    draft available.
  • CoreStreet current client and server supports
    profile.
  • Tumbleweed current client and server supports
    profile.
  • Microsoft current Longhorn beta (client) supports
    profile.

5
Open Issues
  • nextPublish vs. max-age and ETag
  • Later appears to be the more accepted route
  • Remember these are Hints not Policies
  • Response validity nesting clarification of text.

6
Questions?
7
Facts
  • Internet Explorer, Firefox, Opera, Safari, etc.
    do not enable revocation checking by default.
  • Commercial certificate authority CRLs are quite
    large (800k in some important cases)
  • Use of OCSP in traditional real time mode would
    result in many requests per page, many request
    per corporation.
  • The majority of public internet consumers are
    dial up (56k), especially true internationally.

8
Misconceptions
  • Pre-Production is about optimizing out RSA signs
  • No, it is about
  • Bring revocation data closer to the relying
    party.
  • Reduce number of potential failure points in
    e-commerce transactions with revocation checking
    enabled.
  • Enabling catch-22 revocation scenarios.
  • Deploying cost effective OCSP solutions in
    suitable environments (inexpensive Geographic
    distribution).
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Lightweight OCSP Profile for High Volume Environments" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!