Non-Distributed Operations

You can configure Validation Authority to offer OCSP service directly to relying party applications, thus providing individual signed responses to OCSP requests. Typically, this direct OCSP interface is used when a request contains one of the following conditions:

• When an OCSP request contains a nonce - This request cannot be serviced by distributed Validation Responders because Validation Responders cannot perform cryptographic operations,

• When a distributed OCSP Responder does not have revocation status information for a certificate issued by a known certificate issuer,

• When configurations do not make use of distributed OCSP Responders.

Upon receipt of a request, the direct OCSP interface verifies the revocation status of the certificate in the request, creates a digitally-signed response, and returns the response to the relying party.

Administrators must exercise caution when making use of the Validation Authority direct OCSP interface. This response process becomes more resource-intensive as the volume of OCSP requests increases. The number of responses that Validation Authority can create is limited by the capability of an HSM to generate digital signatures. Also, to be able to receive requests, relying parties must have access to Validation Authority from the external network. This can create a security risk to Validation Authority (for more information, refer to Security Considerations for Non-Distributed Operations).

• For information about configuring the direct OCSP interface, refer to Configure Data Input - Direct OCSP Interface.

• For information about configuring Responders to relay requests to the direct OCSP interface, refer to OCSP Request Relaying and Relay URL.

• For information about configuring OCSP request options and OCSP response acceptance parameters, refer to the documentation supplied with your relying party applications.