Information Technology Reference
In-Depth Information
Advanced Certificate Status Protocol
Dae Hyun Yum, Jae Eun Kang, and Pil Joong Lee
Department of Electronic and Electrical Engineering, POSTECH
Hyoja-dong, Nam-Gu, Pohang, Kyoungbuk, 790-784, Rep. of Korea
{
dhyum,florist,pjl
}
@postech.ac.kr
http://islab.postech.ac.kr
Abstract.
This paper proposes ACSP (Advanced Certificate Status
Protocol), a new online certificate status checking protocol. ACSP is
a flexible revocation status checking system, for ACSP allows users to
set their own recency requirements. In addition, ACSP is very ecient
because ACSP requires small computational and communicational costs
compared with OCSP in most environments. Actually, OCSP can be
considered as a special case of ACSP. We also propose ACSP+ that is a
variant of ACSP with a proxy responder.
Keywords:
PKI, certificate revocation, CRL, OCSP, ACSP.
1
Introduction
As electronic commerce becomes an indispensable element of today's Internet,
PKI (Public Key Infrastructure) is gaining a considerable attention because it
can provide security services such as authentication, confidentiality and integrity.
The main idea of PKI is a digital certificate that is a digitally signed statement
binding an entity and his public key. While we have reached the mature stage of
issuing digital certificates and evaluating them, we are in a controversial stage
when it comes to revocation. We cannot even agree on what the revocation
means [1]. In this paper, we focus our discussion on the mechanism of revocation
and this is valid whichever meaning of revocation we accept.
When a certificate is issued, its validity is limited by a pre-defined expiration
time. Since there are some instances where a certificate must be nullified prior to
its expiration time, the existence of a certificate is a necessary but not sucient
condition for its validity. CRL (Certificate Revocation List) is the most common
mechanism for determining whether a certificate is revoked or not [3]. CRL is a
signed list of revoked certificates that is periodically issued by the CA (Certifica-
tion Authority). The most important drawback of CRL is that the size of CRL
can grow arbitrarily large. This causes unnecessary consumption of storage and
bandwidth, which cannot be tolerated in some environments. Another shortcom-
ing of CRL is that the time granularity of revocation is constrained by the CRL
issuance period. If a certificate is revoked between CRL issuance periods, people
This research was supported by University IT Research Center Project, the Brain
Korea 21 Project, and Com
2
MaC-KOSEF.
