Distributed OCSP Responses

The ActivID Validation Suite delivers a complete certificate validation solution that includes ActivID Validation Authority and ActivID Validation Responders.

Distributed OCSP responses provided by Validation Authority are:

• Pre-generated - Created and published periodically, not based on specific requests.

• Individual - Each response corresponds to a single certificate or a small number of certificates.

• Small - Typically no more than a few hundred bytes per response.

• Verifiable - The use of digital signing means that forged or tampered responses can be distinguished from real responses.

• Bounded - Usable for a specific period of time.

The OCSP response format is structured as a set of status assertions that are digitally signed using the private signature key of Validation Authority. The body of the response includes information about its starting and ending times as well as the certificate’s revocation status. The digital signature is based on standard digital signature algorithms.

The following figure illustrates the contents of a hypothetical digitally signed response.

Validation Authority publishes OCSP responses to provide validation for digital certificates. The exact format of these responses is specified in the OCSP standard published by the IETF as RFC 6960. A response of this format is typically between 150 and 350 bytes in size and is compatible with all existing X.509 certificates. A relying party can trust this type of response based on the integrity of the digital signature.

ActivID Distributed OCSP responses are fully compatible with any relying party that uses the OCSP standard for performing validation. However, ActivID Distributed OCSP responses maintain the distinct advantages of availability, scalability, and security which traditional OCSP and CRL-based implementations lack. This enables OCSP to be used to manage millions of certificates over a global physical environment.