Design and implementation of a lightweight online certificate validation service

A PKI (public key infrastructure) provides for a digital certificate that can identify an individual or an organization. However, the existence of a certificate is a necessary but not sufficient evidence for its validity. The PKI needs to provide applications that use certificates with the ability to validate, at the time of usage, that a certificate is still valid (not revoked). One of the two standard protocols to check the revocation status of certificates is the Online Certificate Status Protocol (OCSP). In this article, we propose an OCSP-based implementation that enhances the performance of standard OCSP. In particular, we put special emphasis on those issues that affect security and performance when the validation service is deployed in a real scenario. Finally, we provide experimental results that show that our implementation outperforms standard OCSP.