Keeping PCs Safe on the Internet

PC Security Journal

Subscribe to PC Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get PC Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

PC Security Journal Authors: RealWire News Distribution, Denise Dubie, Lacey Thoms, Bob Gourley, Michael Bushong

Related Topics: PC Security Journal, SSL Journal, Comodo Encryption

SSL Journal: News Item

Comodo Certificate Status Protocol Is Timely, Accurate

Real-Time Certificate Checks Do Not Rely on Certificate Revocation Lists

A manager gives a key to an employee so the employee can drive a locked truck. The manager controls use of the key and the equipment; if the employee leaves the company, or if the employee dies, the manager is responsible to get the key back or change the locks.

But when the employee is instead driving a truckload of information down the information superhighway, handing out and retrieving the key can be more complicated.

Businesses protect their digital information in transit using Public Key Infrastructure.

Public Key Infrastructure is based on the idea of two “keys” for each server or mailbox. The first key is public, available for wide distribution, and for example this key might be included in every email you send. The second is “private.” The private key is kept secret. You never show this private key to anyone, but you use to sign or encrypt information.

Digital certificates are small electronic documents which are the best way to share your public key. They are nearly impossible to usefully forge because they are signed (think “certified”) by a Trusted third party such as Comodo.

With the encryption facilitated by SSL or by encrypted email the employee can send or receive information securely. Even from a wireless-enabled laptop at a truck stop.

The manager’s problem crops up again if the employee suddenly leaves the company. With a certificate using the employee’s private key, an employee who is no longer entitled to it can still access privileged information.

Certificate authorities have addressed this problem by regularly issuing “Certificate Revocation Lists” or CRLs. When the employee’s certificate is rendered invalid, the certificate authorities add it to their lists, nullifying communications that attempt to use the certificate.

A sleeker and more secure method of nullifying the certificates is the Online Certificate Status Protocol or OCSP. This protocol allows computers to check the status of certificates in real time. The computers access servers that respond to requests for status checks; the servers are called OCSP Responders.

Comodo, the second-largest issuer of high assurance digital certificates, offers OCSP as a standard feature. Its OCSP responder has been developed in-house, designed to be stable, fast and scalable.

Unlike other Certificate Authorities and OCSP Responders, Comodo’s response is not based on the CRL. Unlike most other Certificate Authorities, Comodo is able to sign each OCSP Response using the same Certificate Authority that signed each certificate. This reduces by 75% the amount of data that the OCSP Responder needs to return to the customer.

Specifically, since Comodo’s OCSP Response does not depend on the CRL, it can accurately identify a questioned certificate as “good,” “revoked,” or “unknown.” OCSP responders checking only the CRL can only respond “revoked,” for certificates already on the CRL, or “unknown” for all other certificates.

Most important, whenever a new certificate is issued, or an old one is revoked, Comodo’s OCSP Responder receives and acts upon the information within a few minutes. CRL-based OCSP Responders only find out about the certificate status changes as many as 24 hours later when the next CRL is published.

For more information, visit

More Stories By Katharine Hadow

Katharine Hadow is a marketing communications professional in New Jersey, USA