VeriSign aids Defense CA
- By Brad Grimes
- Jul 07, 2005
Public-key infrastructure managers take note. Buried somewhere in the news that VeriSign Inc. of Mountain View, Calif., was approved to participate in the Defense Department's External Certificate Authority program was a mention that ECA would mark the first government use of VeriSign's Trusted Global Validation service.
Because the company's announcement didn't go into any detail about this first-of-its-kind service, GCN got on the phone with George Schu, VeriSign's public sector vice president.
It turns out TGV is something anyone implementing a PKI would want to consider'and something not entirely unique to VeriSign. TGV is an online certificate status protocol service used to ensure that a user's PKI certificate is valid. OCSP overcomes a crucial limitation of the traditional method of certificate validation, the certificate revocation list. In a non-OCSP world, users who want access to a network resource via PKI must download the latest CRL so the system can check to see if their certificate is still good. At DOD, that's a problem.
'The CRL [at DOD] is unwieldy,' Schu said. 'The internal CRL is 30 megabytes.' Not exactly conducive to rapid downloads, especially in Defense outposts with low bandwidth.
With an OCSP service like VeriSign's, the user's system sends a request to a nearby server where it's checked against a cached CRL.
VeriSign hasn't cornered the Defense Department market on OCSP, however. In March DOD's PKI Program Management Office tapped similar services from Tumbleweed Communications Corp. of Redwood City, Calif., and CoreStreet Ltd. of Cambridge, Mass.