Batch OCSP and batch distributed OCSP

Abstract

Providing information about digital certificate validity includes obtaining a plurality of signing key / verification key pairs, where each signing key provides a digital signature and a corresponding one of the verification keys verifies the digital signature and where digitally signing together a plurality of data elements using the signing keys is computationally more efficient than digitally signing each of the data elements individually, ascertaining digital certificate validity status for each certificate in a set of digital certificates, generating a plurality of artificially pre-computed messages about the validity status of at least a subset of the set of digital certificates, and digitally signing together the artificially pre-computed messages using signing keys from the pairs. Ascertaining digital certificate validity status may include obtaining authenticated information about digital certificates. The authenticated information about digital certificates may be generated by an entity that also revokes certificates. The authenticated information about digital certificates may be a CRL. The artificially pre-computed responses may be OCSP format responses.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This application claims priority to U.S. provisional application 60 / 535,666 filed on Jan. 9, 2003, and on U.S. provisional application 60 / 536,817 filed on Jan. 15, 2003, both of which are incorporated by reference herein.BACKGROUND OF THE INVENTION [0002] 1. Technical Field [0003] This application relates to the field of digital certificates, and more particularly to the field of verifying and validating digital certificates and other information. [0004] 2. Description of Related Art [0005] Digital signatures provide an effective form of Internet authentication. Unlike traditional passwords and PINs, digital signatures authenticate transactions in a way that is universally verifiable. Thus, it is very difficult, if not impossible, to repudiate a transaction that has been digitally signed. Digital signatures are produced via a signing key, SK, and verified via a matching verification key, PK. A user U keeps his own SK secret so that only...

AI Technical Summary

Benefits of technology

The present invention provides a method for providing information about the validity of digital certificates by ascertaining the status of each certificate in a set of digital certificates, generating artificially pre-computed messages about the validity of a subset of the certificates, and digitally signing the messages. This allows for efficient and accurate responses to requests for information about the validity of digital certificates. The invention also includes computer software that facilitates the process of obtaining signing key / verification key pairs and utilizing them for digital certificate validation. The technical effects of the invention include improved efficiency and accuracy in providing information about digital certificate validity.

Problems solved by technology

Thus, it is very difficult, if not impossible, to repudiate a transaction that has been digitally signed.

Fortunately, key PK does not “betray” the matching key SK; that is, knowledge of PK does not provide any practical advantage in computing SK.

According to such a revocation rate, a system having ten million certificates would generate a CRL containing one million serial numbers, which could make the CRL unwieldy.

Though this problem can be lessened by more recently introduced CRL-partition techniques, the basic strategy of bundling together the revocation information of many certificates is still likely to generate inconvenience and cost.

This may be unacceptable in certain situations such as, for example, a wireless transaction, where having to transmit this many bits (as protection against future disputes and potential legal claims) may be impractical.

Of course, a malicious / compromised OCSP responder may provide arbitrary signed answers about the certificates of a given CA, with or without consulting any CRL's.

There are significant drawbacks to OCSP.

In the first place, digital signatures are computationally intensive operations.

The digital signature created by a conventional OCSP responder on each OCSP response is generated at the time of the request, and may be the most computationally intensive part of the validation operation.

Even if a conventional OCSP responder caches a digital signature about a digital certificate C after being asked the first time about C and then sent the cached signature when asked about C afterwards, still the answer to the first user asking about C may be significantly delayed due to generation of the initial digital signature.

In addition, if there is a single OCSP responder, then all certificate-validity queries would, eventually, be routed to the single OCSP responder, which then may become a major network bottleneck and cause considerable congestion and delays.

If huge numbers of honest users suddenly queried this OCSP responder, then a disrupting denial of service situation could ensue.

However, for OCSP, load distribution may introduce additional problems because, in order to provide signed responses to the certificate-validity queries, each of the one hundred distributed conventional OCSP responders would have its own secret signing key.

Thus, compromising any of the one hundred servers could effectively compromise the entire organization.

Unfortunately, this is a costly option.

A truly secure vault, meeting all the requirements of—say—a financial CA, may cost over one million dollars to build and one million dollars a year to operate.

In addition, even if an organization were willing to pick up such expenses, vaults can not be built overnight.

Thus if a CA needed a few more vaults to lessen the load of its current conventional OCSP responders, there may be a delay of months before new properly-vaulted OCSP responders could be constructed.

Moreover, incurring the costs of multiple vaults may not solve the OCSP security problems.

Furthermore, there are difficulties associated with OCSP with respect to servicing certificate validity requests originating from different security domains.

For instance, conventional OCSP responders run by organization A may easily provide responses about the status of certificates of the CA of organization A, but OCSP responders run by another organization may not have enough information to provide responses about “foreign” certificates.

First, the relying parties from organization B could obtain from the responders from organization A the status of certificates from the CA of organization A. This limits performance however, since the OCSP responders from organization A may be geographically distant from relying parties of organization B, so network times may greatly slow overall validation processing.

This second alternative may provide better scalability and performance, but it muddies the security and trust flow between the two organizations.

If the OCSP responder 44 makes an incorrect response for any reason (misconfiguration, hostile attack, or straightforward dishonesty), the OCSP responder 44 may thus negatively impact the organization of the CA 64.

This type of delegation-of-trust between organizations may be acceptable in some cases, but it is not a generally useful alternative for any large-scale heterogeneous deployment of traditional OCSP.

Images