Standards » Security Area » CAOPS WG

While certificates have built-in lifetimes, this is insufficient: lists of revoked certificates are required by many relying parties, and should be used by every relying party, in order to eliminate lost, compromised, or otherwise-invalid certificates from use. Commercial credit and debit cards are managed in an analogous fashion. The Online Certificate Status Protocol (OCSP) is a protocol that can be used to provide this service for Grid stakeholders. OCSP is a simple query protocol, relieving its clients –also called “relying parties” through this document- of the burden of managing lists of revoked certificates. The OCSP protocol is flexible and extensible, allowing certificate validation services beyond the simple reporting of contents of certificate revocation lists (CRLs). The Grid presents considerable challenges for such a service, however. To be suitable for Grid use, OCSP services must be discoverable, fault tolerant and low latency. Grid administrators need to develop interoperability methods, “chaining” methods from one OCSP responder to another, authorized OCSP responder mechanisms for multiple CAs, and replication techniques.

While certificates have built-in lifetimes, this is insufficient: lists of revoked certificates are required by many relying parties, and should be used by every relying party, in order to eliminate lost, compromised, or otherwise-invalid certificates from use. Commercial credit and debit cards are managed in an analogous fashion. The Online Certificate Status Protocol (OCSP) is a protocol that can be used to provide this service for Grid stakeholders. OCSP is a simple query protocol, relieving its clients –also called “relying parties” through this document- of the burden of managing lists of revoked certificates. The OCSP protocol is flexible and extensible, allowing certificate validation services beyond the simple reporting of contents of certificate revocation lists (CRLs). The Grid presents considerable challenges for such a service, however. To be suitable for Grid use, OCSP services must be discoverable, fault tolerant and low latency. Grid administrators need to develop interoperability methods, “chaining” methods from one OCSP responder to another, authorized OCSP responder mechanisms for multiple CAs, and replication techniques.