Proposal and Analysis of a Distributed Online Certificate Status Protocol with Low Communication Cost

The Public Key Infrastructure (PKI) technology is very important to support the electronic commerce and digital communications on existing networks. The Online Certificate Status Protocol (OCSP) is the standard protocol for retrieving certificate revocation information in the PKI. To minimize the damages caused by OCSP responder's private key exposure, a distributed OCSP composed of multiple responders is needed. This paper presents a new distributed OCSP with a single public key by using key-insulated signature scheme [6]. In proposed distributed OCSP, each responder has the different private key, but corresponding public key remains fixed. Therefore the user simply obtains and stores one certificate, and can verify any responses by using a single public key.

[1]  S. Micali Eecient Certiicate Revocation , 1996 .

[2]  Jose L. Muñoz,et al.  Using OCSP to Secure Certificate-Using Transactions in M-commerce , 2003, ACNS.

[3]  Ronald L. Rivest,et al.  Can We Eliminate Certificate Revocations Lists? , 1998, Financial Cryptography.

[4]  Ran Canetti,et al.  Proactive Security: Long-term protection against break-ins , 1997 .

[5]  Kouichi Sakurai,et al.  A Distributed Online Certificate Status Protocol with a Single Public Key , 2004, Public Key Cryptography.

[6]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[7]  Shohachiro Nakanishi,et al.  Certificate Revocation Protocol Using k-Ary Hash Tree , 2001 .

[8]  Shouhuai Xu,et al.  Strong Key-Insulated Signature Schemes , 2003, Public Key Cryptography.

[9]  S. Santesson Certificate and Certificate Revocation List (CRL) Profile , 2005 .

[10]  Shohachiro Nakanishi,et al.  Performance Evaluation of Certificate Revocation Using k-Valued Hash Tree , 1999, ISW.

[11]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[12]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[13]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[14]  S. Micali,et al.  NOVOMODO : Scalable Certificate Validation and Simplified PKI Management , 2002 .

[15]  Russ Housley,et al.  Delegated Path Validation and Delegated Path Discovery Protocol Requirements , 2001, RFC.

[16]  A. Malpani,et al.  Simple certificate validation protocol , 2003 .

[17]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[18]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[19]  Gene Itkis,et al.  SiBIR: Signer-Base Intrusion-Resilient Signatures , 2002, CRYPTO.

[20]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[21]  Andrew Nash,et al.  PKI: Implementing and Managing E-Security , 2001 .