OCSP - Online Certificate Status Protocol
I was thinking about the question, why and when should I add OCSP for a PKI. And I see a lot of points why smaller organizations might not have a need for OCSP and large companies not necessarily.
- with Windows 2008 R2 OCSP uses the CRL as data set. So you must issued fresh CRLs more often.
- if you do not revoked certificates or have a alternative method to block access to your service, e.g. disable the user account in AD, then OCSP is only overhead. Review your revocation policy, if you dont have one - create one!
- Might not all of your clients "speak" OCSP (e.g. Windows 2000 and Windows XP)
- Check network connectivity from all your potential clients to the OCSP server, your clients talk on each certificate check back to OCSP. This can cause latency issues for your applications
- For e.g. Cisco concentrators you do not need to publish the OCSP path to all certificates, you can configure the OCSP path on the concentrator.
- Most clients cache the CRL locally, so if the CRL distribution point is not available for a short time, lets say 4 hours when your CRL validity is 2 weeks, still most of your systems would work without any issue. If you rely only on OCSP then make it high available.
- think also about additional license cost, operational costs and support
OCSP is a great improvement in environments with a high number of revokes, what means you have larger CRLs (in size). Unfortunately it is not easy to say when OCSP makes sense and when not, it highly depends how applications check for revocation status.
And OCSP is not a simple replacement for CRLs, it gives you more capabilities to manage certificate revocation. So it is more a logical extension of a PKI.
[Update] Google disables CRL and OCSP checks in the next Chrome version http://www.imperialviolet.org/2012/02/05/crlsets.html
---------------------------
Note 1: You can use 3rd party OCSP responder or clients as well to overcome Windows OCSP limitations.
Note 2: On Windows 2008 R2 Server Enterprise Edition is needed for each OCSP server installation.
Monday, November 14, 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment