On the Tradeoff between Performance and Security in OCSP-Based Certificate Revocation Systems for Wireless Environments

The Online Certificate Status Protocol (OCSP) specifies a mechanism used to determine the status of public-key certificates (PKC). OCSP deployments have been used so far to ensure timely and secure certificate status information for high-value electronic transactions, like in the banking environments. Nevertheless, since an OCSP responder operates always online it could be subject to the key exposure attack (problem). A solution to the last problem is given by the forward secure signature (FSS) schemes. This paper investigates various modifications of the OCSP-based certificate revocation systems for wireless environments using efficient generic FSS schemes, i.e. Bellare-Minner tree, the Iterated Sum construction and the MMM scheme. In the proposed systems we evaluate the tradeoff between the performance (i.e. response size and amount of computation required) and security (vulnerability to forgery).