Validation Authority – CogVA

CogVA is an integral component of the secureSME PKI (Public Key Infrastructure) suite, specializing in the validation and status verification of digital certificates. CogVA offers services for confirming the authenticity, validity, and revocation status of certificates issued within the secureSME ecosystem. By providing mechanisms to check the validity of certificates, CogVA ensures that entities relying on digital certificates can trust their security posture and maintain the integrity of their transactions and communications.

Core Features of CogVA

Certificate Revocation Lists (CRLs) Hosting

CogVA can host Certificate Revocation Lists, which are essential components in the lifecycle management of digital certificates. A CRL is a list published by a Certificate Authority (CA) that details certificates that have been revoked before their scheduled expiration date. This list is made publicly available to ensure that end-users or applications can cross-check the status of a certificate and avoid trusting one that has been compromised or is otherwise invalid.
CRLs are crucial for identifying certificates that are no longer trustworthy due to various reasons, such as:

  • Private key compromise: The certificate associated with a private key that has been exposed is revoked to prevent misuse.
  • CA compromise: If a CA’s integrity is compromised, all certificates issued by that CA may be revoked.
  • Superseded certificates: When a certificate is replaced by a new one, the old certificate may be revoked to prevent potential misuse.

CRLs include the serial numbers of revoked certificates and are signed by the CA to ensure their authenticity. They are updated regularly and distributed by CogVA via HTTP to allow client systems to easily check certificate validity.

What are the benefits and limitations of CRLs?

Benefits of CRLs:
  • Batch revocation: CRLs allow for the communication of multiple revoked certificates at once, making them efficient for updating systems en masse.
  • Ease of access: Hosting CRLs via HTTP ensures widespread availability.

Limitations of CRLs:

  • Latency: CRLs must be frequently updated and distributed, which can cause a delay between the actual revocation event and the list being updated.
  • Size: Large CRLs can be cumbersome to download and process, impacting performance.

Online Certificate Status Protocol (OCSP) Responder Services

In addition to CRLs, CogVA supports OCSP, a more dynamic and efficient approach to certificate status verification compared to CRLs. OCSP is an Internet protocol used for obtaining the revocation status of an X.509 certificate without needing to download large CRLs. This makes it possible to do on-demand checks for the validity of individual certificates. When an OCSP request is made, CogVA answers with a status report on whether a certificate is valid, revoked, or unknown. This real-time capability enhances the security and efficiency of certificate verification processes

Advantages of OCSP compared to CRLs

  • Real-time validation: status of a certificate, reducing the risk associated with outdated CRL checks.
  • Lower data usage: Requests are specific and significantly smaller than downloading entire CRLs.

CogVA supports OCSP responses for online issuing CA’s as well as for offline root CA’s. This allows for all certificates up to the root to be efficiently validated using OCSP. When using online CA’s, CogVA is capable of automatically issuing and renewing OCSP responder certificates as required.