Validation service

from Wikipedia, the free encyclopedia

A validation service , also known as a validation authority ( VA ), is a service provider that checks the validity of an X.509 certificate from a public key infrastructure (PKI).

Examination procedure and restrictions

In the simplest form, a validation service uses the certificate revocation list , and certificate revocation list ( CRL ) called. A list is loaded from a public URL and the serial number of the certificate to be checked is searched for in this list. If it is available, the certificate is revoked, otherwise it is valid.

The data format of the certificate revocation list is standardized. The second generation contain much more information about a revoked certificate, e.g. B. the reason for revocation or the issuer of the certificate. It is not possible to announce a future revocation via the CRL data format (e.g. if a certificate change is brought forward).

CRLs are usually updated at regular intervals, usually only once or twice a day. I.e. there is a relatively high level of inaccuracy when querying the status of a certificate. For this purpose, CRLs can be cached locally and thus enable the offline query of a certificate status.

The Online Certificate Status Protocol (OCSP) offers the possibility to carry out a targeted, real-time status check without having to import complete certificate lists. In addition, every change in the status of a certificate should be published immediately in the OCSP service. However, some implementations of an OCSP responder are based on a revocation list and therefore do not provide any more up-to-date revocation information than this. OSCP has optimization of the response time due to the fact that only the query via the certificate revocation list provides reliable results. In addition to OCSP, the server-based Certificate Validation Protocol (SCVP) can also determine the certificate chain itself.

Ultimately, due to various functional restrictions, only a reliable statement based on the past is possible.

Intended use

Applications that support certificates from the public key infrastructure used to be rare. In the past, in particular with the qualified electronic signature , there were often cases in which the recipient did not have a system to check a received document with an electronic signature whether the electronic signature contained therein is valid. In such cases, a service provider was used who, among other things, operated a validation service and sent the client a test report that had to be archived.