Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Use cases for OCSP Responder

Owned by Ylva Andersson
Last updated: Oct 31, 2024Version comment
2 min read

This article describes three typical use cases for Nexus OCSP Responder.

OCSP Responder in an open network scenario

  • End-users a, b, and p are private persons or employees in small firms without their own PKI service. They get their certificates from service bureaus A and B (CA A and CA B).

  • To determine the revocation status of the certificates used by a and b when they sign their mail, p has to query the authoritative OCSP responder for each respective issuer. Typically, these OCSP responders are co-located with the CA systems, but they do not need to be.

  • To help p find the OCSP responders, CA A and CA B may include the authorityInformationAccess (AIA) extension in the certificates of a and b.

  • End-user p receives signed mail from a and b. p’s e-mail client connects to different OCSP responders depending on the certificate issuer.

OCSP Responder in a corporate scenario

In a corporate scenario, one may wish to control the traffic through the firewall. The end-user clients can be statically configured to always query the corporate OCSP responder. The corporate OCSP responder is then responsible for obtaining revocation information for CA A and CA B in some appropriate manner. This could be fetching CRLs/CILs from a directory, relaying OCSP requests to another authoritative OCSP responder or by some other mechanism.

OCSP Responder in an e-commerce scenario

  • In this e-commerce scenario, a customer finds an interesting item on the web and wants to make an electronic purchase.

  • The customer has obtained a smart card with a digital certificate on it, from the customer’s bank.

  • The merchant’s bank issued the certificate that is used by the Nexus OCSP Responder in the merchant web shopping system.

  • Both banks have got certificates issued by the root CA. In the following figure the customer sends an order to the merchant and signs it by use of the smart card. The signer certificate is included in the order message.

  • The merchant’s web site receives the order and verifies that the signed data came from the customer and was not modified in transit.

  • The merchant’s shopping system includes an OCSP client, in this example a Nexus Hybrid Access Gateway, which sends a request to the merchant’s bank to get revocation information for the
    customer’s certificate.

  • As the customer’s certificate is issued by the customer’s bank, Nexus OCSP Responder in the merchant’s bank system requests service of the customer’s bank to fulfill the request from the
    merchant’s shopping system.

  • If the revocation status is "good", the merchant shopping system can continue executing the order.

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions