What's the point of deploying a digital certificate infrastructure if you can't readily check the status of certificates? That's where CoreStreet's Real Time Credentials comes in.

In our test of this system - which uses the Online Certificate Status Protocol (OCSP) - we found that while its unique approach works as advertised, it might be overkill for most companies using a certificate infrastructure. The usefulness of this product will not be fully realized until more applications support OCSP.

CoreStreet provides certificate status services through a network of distributed OCSP responders, lightweight servers that do not contain sensitive cryptographic information and can be safely distributed throughout a company.

A central RTC Validation Authority (RTC VA) retrieves the Certificate Revocation List and a list of all issued certificates from the underlying certificate authority to generate proofs, or pre-built OCSP responses (see graphic, right). Then RTC Responders retrieve these proofs from the RTC VA using HTTP and to generate OCSP responses for queries from an OCSP requestor. Security applications that process certificates issue OCSP requests. The application then uses the OCSP response to determine the certificate's validity.

The RTC VA and each RTC Responder are managed separately through a Web-based GUI. There also is a command-line interface to the RTC VA, but we found it incomplete. Each component has its own error log that resides on the individual Validation Authority and Responder systems. There is no capability to integrate these internal log files with an external log management system.

To tap into RTC services, security devices must support Secure Sockets Layer (SSL), 802.1X, IPSec or some other certificate-aware protocol, and be configured to check the status of the certificate. Not many applications directly support OCSP yet. Several vendors, including CoreStreet, offer add-on products that enhance Internet Explorer, Internet Information Server and Windows to add status-checking based on OCSP. Mozilla natively supports OCSP, and future versions of Windows will as well.