A certificate validation service (CVS) provides certificate validation using revocation checking with the Online Certificate Status Protocol (OCSP) or the Server-based Certificate Validation Protocol (SCVP) for all aspects of validation checking, as shown in Figure 1. Complete certificate validation requires that the certificate is issued from a trusted source, which requires building a validated chain of intermediate certificates up to a trusted root by checking all of their digital signatures. The certificate must be within its validity period, within its appropriate usage, and not revoked.

Figure 1 – An example of a CVS providing certificate revocation status.

A CVS consumes CRLs containing serial numbers of all the certificates that are revoked. When provided with a particular certificate or group of serials, the CVS responds with good, bad, or unknown. The CVS signs individual responses and can validate certificates referencing stale CRLs while notifying administrators of the situation.

An organization normally uses certificates throughout the enterprise that must be validated. Some applications normally stop working if a required CRL is expired. Others will time out and continue to operate. In either case, there is uncertainty as to how an enterprise will be impacted when CRL failures occur. A CVS that signs responses mitigates CRL failures and provides increased network performance as individual applications do not need to download CRLs separately.

Related Patterns:

• Federated Cloud Authentication

This mechanism is covered in CCP Module 7: Fundamental Cloud Security and
in Module 8: Advanced Cloud Security.

For more information regarding the Cloud Certified Professional (CCP) curriculum, visit www.arcitura.com/ccp.

This cloud computing mechanism is also covered in:

Cloud Computing Design Patterns by Thomas Erl, Robert Cope, Amin Naserpour

(ISBN: 9780133858563, Hardcover, ~ 528 pages)

For more information about this book, visit www.arcitura.com/books.