Integrating Identity Quality Metrics with OCSP Responses (G11c)
Online Certificate Status Protocol (OCSP) gives users of a PKI a means of knowing whether an x.509 certificate is valid in real time. The protocol is intended to replace the Certificate Revocation List method, where a certificate could have become invalid after the list was published. This presentation describes a method for reporting additional essential information about a certificate besides its current validity. While the protocol, which we are calling OCSP++, is designed to report identity quality metrics as measured by systems such as NIST 800-63-3 Level of Assurance and Osmio IDQA, it can be used to convey other essential but mutable information about the certificate and its subject.