Information Technology Reference
In-Depth Information
4 ACSP+
4.1 Mechanism
In on-line certificate revocation status checking protocols, the response can be
signed by the CA or other trusted parties. For example, the key used to sign an
OCSP response can belong to one of the following [10]:
1. the CA who issued the certificate in question
2. a Trusted Responder whose public key is trusted by the acceptor
3. a CA designated responder (authorized responder) who holds a specially
marked certificate issued directly by the CA, indicating that the responder
may issue responses for that CA
If we adopt a proxy responder, the CA need not involve in the revocation sta-
tus checking process. This improves the scalability of revocation status checking
system.
To construct ACSP+ (ACSP with a proxy responder), we have to make some
changes in ACSP, since the proxy responder cannot issue a new certificate as a
response. Firstly, an ACSP+ response is a signed message indicating that the
queried certificate is valid at time
t
q
, and the signer transmits this response
with
, thereafter. Secondly, acceptor's recency period is checked against an
ACSP+ response rather than against a certificate.
At this point, we will present ACSP+ in which a proxy responder involves.
As ACSP, there are two types of ACSP+ and their performances are not much
different.
Cert
4.1.1 ACSP+ (I).
STEP1.
Alice sends a message
M
with a signature value
S
, her certificate
Cert
and the previous ACSP+ response
R
.
satisfies Bob's recency period, he ac-
cepts Alice's certificate as valid and halts the ACSP+ protocol. Otherwise, the
following steps are executed.
If the previous ACSP+ response
R
STEP2.
Bob sends an ACSP+ request to a proxy responder in order to check
whether
Cert
is revoked or not.
Cert
STEP3.
The proxy responder checks the revocation status of
and sends
an ACSP+ response
R
to Bob. After receiving the ACSP+ response
R
, Bob
can decide whether Alice's certificate
Cert
is revoked or not.
R
to Alice and she replaces the
previous ACSP+ response
R
with the new ACSP+ response
R
.
STEP4.
Bob sends the ACSP+ response
