Implementing OCSP with NMAS
Novell Cool Solutions: Feature
Digg This -
Posted: 29 Dec 2003
The Online Certificate Status Protocol (OCSP) is an alternative to Certificate Revocation List (CRL) checking as a means of validating a certificate. (Or practically speaking, to validate that the user of a certificate is still authorized to access the network.) An OCSP server communicates with the certificate authority to receive updates to the CRL, adding to the list of issued certificates that have subsequently been revoked. Clients that need to validate the current status of a certificate then contact the OCSP server, instead of reading the CRL list themselves. This provides a more efficient method to validate a user, because the CRL is read only by the OCSP server and not by every client. It therefore becomes more practical to update the list frequently, even on line.
searchSecurity.com provides the definition below:
"OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List (CRL).
"OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently dowloaded to keep the list current at the client end. When a user attempts to access a server, OCSP sends a request for certificate status information. The server sends back a response of "current", "expired," or "unknown." The protocol specifies the syntax for communication between the server (which contains the certificate status) and the client application (which is informed of that status). OCSP allows users with expired certificates a grace period, so they can access servers for a limited time before renewing."
How Universal Smart Card method works with OCSP
If a certificate is configured to include an AIA extension (Authority Information Access), the Universal Smart Card method will check with the OCSP server identified in that extension in order to validate the certificate. There is no configuration required in the smart card method; just make sure that the AIA extension is included on the certificate.
FYI: There are two ways of implementing OCSP. The current version of NMAS (2.2) allows for only one of them. The two options are as follows:
1. Create an AIA extension on the certificate that points to the OCSP server. (Novell does not have an OCSP server product, but the universal smart card method will communicate with third party OCSP servers.) When the smart card method finds this extension, it will contact the OCSP server to confirm that the certificate is still valid. This option works with no configuration other than making sure the AIA extension is in place.
2. The other way to implement OCSP is for the application using OCSP to define the location of the OCSP server. In the case of NMAS this would mean configuring the Universal Smart Card Method to specify the location of the OCSP server. This functionality is not available with NMAS 2,2 but is being considered for a furure version.
For more info see TID 10088761
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com