Certificate validation, one of the most important and complex tasks in a Public Key Infrastructure (PKI), is still a challenging topic nowadays due to scalability and complexity issues. Validation of an X.509 certificate requires checking its revocation status, either by consulting the so-called Certificate Revocation Lists or by contacting a specific server via the Online Certificate Status Protocol (OCSP). As more and more relying parties need to validate the certificates used for various purposes (such as digital signature, server authentication, and secure e-mail), the OCSP servers become overloaded. Thus, an increasing effort is currently dedicated to the creation and management of scalable certificate validation architectures. In this work, we discuss scalability challenges in OCSP-based certificate validation, and we propose a method to evaluate the OCSP server performance in stress conditions. Next, we experimentally measure the performance, expressed in terms of response time and throughput, of some open-source OCSP implementations. Finally, we propose and evaluate our own scalable OCSP-based certificate validation system, named FcgiOCSP because it exploits the FastCGI interface. Experimental results demonstrate the high performance of FcgiOCSP with respect to other OCSP implementations evaluated in this work.

FcgiOCSP: a scalable OCSP-based Certificate Validation System exploitingthe FastCGI interface / Berbecaru, DIANA GRATIELA; Casalino, MATTEO MARIA; Lioy, Antonio. - In: SOFTWARE-PRACTICE & EXPERIENCE. - ISSN 0038-0644. - STAMPA. - 43:12(2013), pp. 1489-1518. [10.1002/spe.2148]

FcgiOCSP: a scalable OCSP-based Certificate Validation System exploitingthe FastCGI interface

BERBECARU, DIANA GRATIELA;CASALINO, MATTEO MARIA;LIOY, ANTONIO
2013

Abstract

Certificate validation, one of the most important and complex tasks in a Public Key Infrastructure (PKI), is still a challenging topic nowadays due to scalability and complexity issues. Validation of an X.509 certificate requires checking its revocation status, either by consulting the so-called Certificate Revocation Lists or by contacting a specific server via the Online Certificate Status Protocol (OCSP). As more and more relying parties need to validate the certificates used for various purposes (such as digital signature, server authentication, and secure e-mail), the OCSP servers become overloaded. Thus, an increasing effort is currently dedicated to the creation and management of scalable certificate validation architectures. In this work, we discuss scalability challenges in OCSP-based certificate validation, and we propose a method to evaluate the OCSP server performance in stress conditions. Next, we experimentally measure the performance, expressed in terms of response time and throughput, of some open-source OCSP implementations. Finally, we propose and evaluate our own scalable OCSP-based certificate validation system, named FcgiOCSP because it exploits the FastCGI interface. Experimental results demonstrate the high performance of FcgiOCSP with respect to other OCSP implementations evaluated in this work.
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2500631
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo