The
Internet Engineering Task Force defines Online Certificate Status
Protocol Version 1 in RFC 2560 and is currently working on Version
2. This new version will add the ability to request information
on the status of a certificate at some point in the past, a feature
Certificate Revocation Lists and the current standard do not support.
The
new version also addresses the validation of attribute certificates.
These allow the separation of authentication information, stored
in a certificate used to gain access, and authorization information,
stored in a separate certificate that identifies specific services
that can be accessed. And, it provides clarifications of some
parts of OCSP Version 1.
It's
not clear that OCSP Version 2 will add immediately necessary features
to OCSP Version 1, which is now supported by most major public-key
infrastructure vendors.
Some
industry watchers even say extending OCSP, as proposed in Version
2, will make a simple protocol unnecessarily complicated. RFC
2560's primary editor, Ambarish Malpani, favors an alternative
- the Simple Certificate Validation Protocol (SCVP) - as a way
to add features, rather than extending OCSP in ways that might
slow its deployment. "We can either continue with OCSP in
the standards processes with the IETF, although some clarification
is necessary, or we can specify a new protocol [when more features
are required]. OCSP is a very targeted protocol, which is part
of its strength for interoperability and standardization,"
explains Malpani, who is co-founder and chief architect at ValiCert,
a certificate validation vendor in Mountain View, Calif. SCVP
extends validation to include attributes, as is proposed in OCSP
Version 2. But it goes beyond answering the simple question "is
this certificate valid?" to the more complex "is this
certificate valid for this particular purpose?"
It
also simplifies the tasks the client must perform to validate
a certificate, moving the potentially complex process of building
such certificate chains to the server. This makes client software
more lightweight and better, for example, for wireless devices,
but also makes server software more complex. SCVP is still in
the IETF draft process.
While
it's not clear whether vendors will support OCSP Version
2 and SCVP, or whether a merged "superset" standard
will appear, it's certain OCSP Version 1 is here to stay.
It provides a simple mechanism for allowing certificate status
checking and validation to be built into many applications, which
can only facilitate the deployment of PKI-based solutions.
