Skip to navigation


Distributed Online Certificate Status Protocol (Distributed OCSP)


Distributed OCSP is a CoreStreet technology which further improves the scalability of Traditional OCSP, without the need for protected Responders. In a Distributed OCSP system, a Validation Authority pre-computes signed OCSP responses for every certificate and distributes these responses to unprotected Responders.

The pre-computed responses contain no secret information, so there's no concern about security being compromised if a given Responder is compromised. The responses are signed and tamper-evident, so the client can verify that the information it receives from a Responder is genuine. Since there is no need to secure each individual Responder, a deployment can include as many Responders as necessary to ensure quick response time to the client. The responses themselves are small and require little bandwidth for transmission, as well as being simple to compute by the Validation Authority. Additionally, Distributed OCSP works with existing deployments as it's based on OCSP which is an already accepted industry standard.

Advantages

  • Small bandwidth between responder and clients
  • No trusted responders required
  • Scales to ten million users
  • Computationally simple (no signing per transaction)
  • Works with all issued certificates
  • Industry standard

Suitable Applications

A Distributed OCSP solution works well for deployments of anywhere from several thousand to hundreds of millions of users. If a government agency with a number of centers of operation scattered throughout the world wanted to issue smart cards which would allow access to a networked fileserver containing sensitive information, or allow entry to field offices, Distributed OCSP would be an excellent solution.