Traditional Online Certificate Status Protocol (T-OCSP)
Traditional OCSP is a technology which alleviates some of the scalability issues of CRLs by adding a layer of Responders between the Certificate Authority, which is the source of the CRL, and the clients. The Responders all receive a CRL, and the clients ask a Responder for validation information about a set of credentials to determine whether a person is authorized to do what he or she is trying to do.
Using T-OCSP, the size of the CRL is no longer as problematic since the clients never receive the entire list of revoked certificates, instead receiving a relatively small amount of information regarding a particular certificate. However, because each Responder is a security risk, the cost of protecting each of them from attack is large. Because of this, it is often cost-prohibitive to set up multiple Responders in several locations, and with fewer Responders a system will be significantly slower.
Advantages/Disadvantages
- Small bandwidth between responder and clients
- Works with all issued certificates
- Industry standard
- Requires trusted responders (extremely expensive)
- Requires digital signing at each transaction (very slow)
- Does not scale past 100,000 users
- Loss of security if any responder is compromised
Suitable Applications
OSCP works well for deployments with tens of thousands of users, in close proximity to each other. For example, a university with a single large campus could issue smartcards to all its students which allow them access to dormitories, libraries, and campus-wide computer networks.
