In an environment of trust it is of upmost importance to verify the validity of each digital certificate. As a general rule, two communicating parties with certificates issued by the same certification authority (CA) can check the validity of the other party’s certificate using either the CRL (Certificate Revocation List) mechanism or by sending an OCSP request.
There are, however, certain drawbacks to downloading the CRL in order to verify a certificate’s status. These drawbacks are notably clogged bandwidth and latency due to the potentially large size of the CRL.
The OCSP protocol is described in the RFC 2560 specifications (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP) and is based on the HTTP protocol. The certificate status check is performed in a synchronous manner: a request containing the certificate to check is sent to the OCSP server which returns the current status of the certificate in an electronically signed message.
OpenTrust OCSP provides instant certificate status verification and hence eliminates all problems encountered by most large organizations when using CRLs. OpenTrust OCSP can be used with a Hardware Security Module (HSM) upon which the OSCP signing keys are securely stored.
OpenTrust OCSP’s modular architecture has been designed to optimize both performance and scalability. What’s more, OpenTrust OCSP can verify certificates issued by more than one CA for an efficient, pooled validation service.