Authors:
Manuel Koschuch
and
Ronald Wagner
Affiliation:
FH Campus Wien - University of Applied Science, Austria
Keyword(s):
OCSP, CRL, X.509v3, Browser, Evaluation.
Related
Ontology
Subjects/Areas/Topics:
Data Communication Networking
;
Implementation and Experimental Test-Beds
;
Network Applications (Web, Multimedia Streaming, Gaming, Etc.)
;
Network Protocols
;
Telecommunications
Abstract:
X.509v3 certificates are the current standard of verifiable associating an entity with a public key, and are widely used in different networking applications: from HTTPS in browsers, SSH connections, to e-mail, PDF and code signing. This wide usage also necessitates the existence of a robust, reliable way to detect and deal with compromised or otherwise invalid certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) are the two mechanisms currently deployed to handle revoked certificates. In this position paper we present preliminary results of our research into the practical use of these protocols, using an existing data-set to show that almost 85% of certificates currently in use contain no revocation information, and compare different browsers under different operating systems as to their dealing with unreachable OCSP servers. We find that browser behaviour in this case ranges from opening the site without any warnings whatsoever to tota
lly blocking it, indicating no clear default reaction and no reliable behaviour.
(More)