1. Field
Embodiments disclosed herein provide techniques for computer security. More specifically, techniques are disclosed for efficiently distributing certificate status validity messages to relying parties (e.g., client browser applications) by evenly partitioning subsets of responses to be distributed by certificate status responders.
2. Description of the Related Art
Various techniques exist for determining the validity of a digital certificate. For example, online certificate status protocol (OCSP) is a method for delivering a status of a digital certificate to a requesting client. Under OCSP, a web server may present a digital certificate to a browser application. In turn, the browser application ensures that the certificate is valid before accepting the certificate. To do so, the browser application requests an OCSP response from a certificate authority (CA) that issued the certificate. When the CA receives the OCSP request, the CA sends a digitally signed OCSP response to the browser application. Such a response indicates whether the certificate is valid, invalid, revoked, etc. Typically, the CA maintains an OCSP responder service that sends OCSP responses to requesting clients.
An OCSP response server typically handles billions of OCSP requests daily. Because many online commercial services rely on OCSP services to allow customers to verify that the commercial services are who they purport to be, it is important that the OCSP response server delivers OCSP responses quickly and efficiently. To meet response time requirements, rather than generate an OCSP response each time the CA receives an OCSP request, the OCSP response server may store OCSP responses, generated in advance, in an in-memory cache. Doing so significantly reduces OCSP response time. However, an issue arises as the number of certificates increases. That is, as the number of certificates increases, the number of OCSP responses increases. As a result, the demand for memory to accommodate the cached OCSP responses also increases. Thus, difficulties in managing a large volume of OCSP responses in light of response time requirements become a concern.