Science Fair Projects Ideas - Online Certificate Status Protocol

All Science Fair Projects

 		      

Science Fair Project Encyclopedia for Schools!
  Search    Browse    Forum  Coach    Links    Editor    Help    Tell-a-Friend    Encyclopedia    Dictionary     

Science Fair Project Encyclopedia

For information on any area of science that interests you,
enter a keyword (eg. scientific method, molecule, cloud, carbohydrate etc.).
Or else, you can start by choosing any of the categories below.

Science Fair Project Encyclopedia Contents Page

Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) is a method for determining the revocation status of an X.509 digital certificate using means other than CRLs. It is described in RFC 2560 and is on the Internet standards track.

OCSP messages are encoded in ASN.1 and usually communicated over HTTP. OCSP's request/response nature leads to OCSP servers being termed as OCSP responders .

Contents
1 Advantages over CRLs
2 Basic PKI implementation
3 Protocol details
4 Vendor implementations
5 External links

Advantages over CRLs

OCSP was created to overcome certain deficiencies of CRLs. When deploying a PKI, certificate validation using OCSP may be preferred over the use of CRLs for several reasons.

  • OCSP can provide more timely information regarding the revocation status of a certificate.
  • OCSP removes the need for clients to retrieve and parse CRLs themselves, saving network traffic and client-side logic.
  • The content of CRLs can be considered sensitive information, analogous to a credit card company's "bad customer" list.
  • An OCSP responder can implement billing mechanisms to pass the cost of validation transactions to the seller, rather than buyer.
  • To a degree, OCSP supports trusted chaining of OCSP requests between responders. This allows clients to communicate with a trusted responder to query a alternate, unknown certificate authority within the same PKI.

Basic PKI implementation

  • Alice and Bob have public key certificates issued by Ivan.
  • Alice wishes to perform a transaction with Bob and sends him her public key certificate.
  • Bob, concerned that Alice's private key may have been compromised, creates an 'OCSP request' that contains a fingerprint of Alice's public key and sends it to Ivan, the Certificate authority (CA).
  • Ivan's OCSP responder looks up the revocation status of Alice's certificate (using the fingerprint Bob created as a key) in his own CA database. If Alice's private key had been compromised, this is the only trusted location at which the fact would be recorded.
  • Ivan's OCSP responder confirms that Alice's certificate is still OK, and returns a signed, successful 'OCSP response' to Bob.
  • Bob cryptographically verifies the signed response (He has Ivan's public key on-hand -- Ivan is a trusted responder) and ensures that it was produced recently.
  • Bob completes the transaction with Alice.

Protocol details

An OCSP responder may return a signed response signifying that the certificate supplied in the request is 'good', 'revoked' or 'unknown', or else it may return an error code. Unfortunately, the OCSP v.1 draft is slightly ambiguous on the meaning of 'unknown'. It may mean that the subject certificate itself is unknown, or that the revocation status of the certificate is unknown.

The OCSP request format supports additional extensions. This enables extensive customization to a particular PKI scheme.

OCSP can be resistant to replay attacks, where a signed, 'good' response is captured by an malicious intermidiary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP overcomes this by allowing a nonce to be included in the request that must be included in the corresponding response.

OCSP can support more than one level of CA. OCSP requests may be chained between peer responders to query the issuing CA appropriate for the subject certicate, with responders validating each other's responses against the root CA using their own OCSP requests.

An OCSP responder may be queried for revocation information by delegated path validation (DPV) servers. OCSP does not, by itself, perform any DPV of supplied certificates.

Vendor implementations

Vendor implementations of the OCSP protocol include:

External links

  • OpenValidation has a detailed market overview, interoperability information and development resources related to on-line validation.
Science Fair Project Encyclopedia Contents Page
03-10-2013 05:06:04
The contents of this article is licensed from www.wikipedia.org under the GNU Free Documentation License. Click here to see the transparent copy and copyright details
Science kits, science lessons, science toys, maths toys, hobby kits, science games and books - these are some of many products that can help give your kid an edge in their science fair projects, and develop a tremendous interest in the study of science. When shopping for a science kit or other supplies, make sure that you carefully review the features and quality of the products. Compare prices by going to several online stores. Read product reviews online or refer to magazines.

Start by looking for your science kit review or science toy review. Compare prices but remember, Price $ is not everything. Quality does matter.
Science Fair Coach
What do science fair judges look out for?
ScienceHound
Science Fair Projects for students of all ages
All Science Fair Projects.com Site
All Science Fair Projects Homepage
Search | Browse | Links | From-our-Editor | Books | Help | Contact | Privacy | Disclaimer | Copyright Notice