本文介绍证书验证服务(CVS),该服务使用在线证书状态协议(OCSP)或服务器端证书验证协议(SCVP)进行证书吊销检查。CVS通过消费包含已吊销证书序列号的证书吊销列表(CRL)来提供证书的有效性状态,并能够签署单独响应,从而减轻CRL故障带来的影响并提高网络性能。
Certificate Validation Service
A certificate validation service (CVS) provides certificate validation using revocation checking with the Online Certificate Status Protocol (OCSP) or the Server-based Certificate Validation Protocol (SCVP) for all aspects of validation checking, as shown in Figure 1. Complete certificate validation requires that the certificate is issued from a trusted source, which requires building a validated chain of intermediate certificates up to a trusted root by checking all of their digital signatures. The certificate must be within its validity period, within its appropriate usage, and not revoked.
Figure 1 - An example of a CVS providing certificate revocation status.
A CVS consumes CRLs containing serial numbers of all the certificates that are revoked. When provided with a particular certificate or group of serials, the CVS responds with good, bad, or unknown. The CVS signs individual responses and can validate certificates referencing stale CRLs while notifying administrators of the situation.
An organization normally uses certificates throughout the enterprise that must be validated. Some applications normally stop working if a required CRL is expired. Others will time out and continue to operate. In either case, there is uncertainty as to how an enterprise will be impacted when CRL failures occur. A CVS that signs responses mitigates CRL failures and provides increased network performance as individual applications do not need to download CRLs separately.
扫一扫
1032
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
