The Research And Application Of OCSP-based Online Certificate Status Validation System

Digital certificate status validation is an important part of Public Key Infrastructure (PKI), which is used to provide revocation information of certificate for its user. It is well-known for OCSP to validate digital certificate status. It can provide up-to-date certificate status information for users by querying a responder. However, OCSP has some limitations as a new member in the suite of PKIX protocols.Firstly, based on the deep study and analysis of OCSP, an improved OCSP is proposed in this thesis according to the existing problems of OCSP, which improves the OCSP response. In addition to the basic type of OCSP response, an A type which is new is included. Secondly, an efficient online certificate status validation system based upon the improved OCSP is devised. The improved OCSP responder in the system takes the certificate repository of CA as the information source, and then provide the timely certificate status information for clients by this way. Meanwhile, the performance of responder is improved through Hash-table, signature in advance and multi-thread technology, and also the replay attack and denial of service attack are resisted efficiently. Thirdly, a scheme is proposed in this thesis, which applys the efficient validation system to cross-certication. The application scheme makes the responder not only check the certificate status and achieve the query of certificate status among different trust domains, but also build a certificate path and validate it, which resolves the difficulty of constructing the certificate path among different trust domains in cross-certification. Finally, the online certificate status validation system based on the improved OCSP and its application in cross-certification are tested respectively, and then the testing results are analyzed.The system devised reduces the average response time and ensures the correctness and timeliness of OCSP responses, and has great advantages for improving E-Commerce and E-Government. The application scheme of this system for cross-certification improves effectively the functionality of OCSP responder and alleviates the burden of clients. So we believe that this scheme will be valuable for the research of digital certificate.