A flexible scheme for on-line public-key certificate status updating and verification

Abstract

A new on-line method for efficient handling of certificates within public-key infrastructures (PKIs) is presented. The method is based on a purposely-conceived extension of the one-way accumulator (OWA) cryptographic primitive, which permits one to provide an explicit, concise, authenticated and not forgeable information about the revocation status of each certificate. A thorough investigation on the performance attainable shows that the devised method exhibits the same positive features of the well-known on-line certificate status protocol (OCSP) as regards scalability, security and timeliness. Moreover, its peculiar characteristic of collectively authentication via a single directory-signed proof the status of all the certificates handled within a PKI leads to a significant reduction of the directory computational load that, in a high-traffic context, could be nearly unbearable when OCSP is applied.