Jellyfish

Validation Authority – CogVA

CogVA is an integral component of the Jellyfish PKI (Public Key Infrastructure) suite, specializing in the validation and status verification of digital certificates. CogVA offers services for confirming the authenticity, validity, and revocation status of certificates issued within the Jellyfish ecosystem. By providing mechanisms to check the validity of certificates, CogVA ensures that entities relying on digital certificates can trust their security posture and maintain the integrity of their transactions and communications.

Core Features of CogVA

Certificate Revocation Lists (CRLs) Hosting

CogVA can host Certificate Revocation Lists, which are essential components in the lifecycle management of digital certificates. A CRL is a list published by a Certificate Authority (CA) that details certificates that have been revoked before their scheduled expiration date. This list is made publicly available to ensure that end-users or applications can cross-check the status of a certificate and avoid trusting one that has been compromised or is otherwise invalid.
CRLs are crucial for identifying certificates that are no longer trustworthy due to various reasons, such as:

  • Private key compromise: The certificate associated with a private key that has been exposed is revoked to prevent misuse.
  • CA compromise: If a CA’s integrity is compromised, all certificates issued by that CA may be revoked.
  • Superseded certificates: When a certificate is replaced by a new one, the old certificate may be revoked to prevent potential misuse.

CRLs include the serial numbers of revoked certificates and are signed by the CA to ensure their authenticity. They are updated regularly and distributed by CogVA via HTTP to allow client systems to easily check certificate validity.

What are the benefits and limitations of CRLs?

Benefits of CRLs:

  • Batch revocation: CRLs allow for the communication of multiple revoked certificates at once, making them efficient for updating systems en masse.
  • Ease of access: Hosting CRLs via HTTP ensures widespread availability.

Limitations of CRLs:

  • Latency: CRLs must be frequently updated and distributed, which can cause a delay between the actual revocation event and the list being updated.
  • Size: Large CRLs can be cumbersome to download and process, impacting performance.
Managing a CA in Jellyfish

Online Certificate Status Protocol (OCSP) Responder Services

In addition to CRLs, CogVA supports OCSP, a more dynamic and efficient approach to certificate status verification compared to CRLs. OCSP is an Internet protocol used for obtaining the revocation status of an X.509 certificate without needing to download large CRLs. This makes it possible to do on-demand checks for the validity of individual certificates. When an OCSP request is made, CogVA answers with a status report on whether a certificate is valid, revoked, or unknown. This real-time capability enhances the security and efficiency of certificate verification processes.

How OCSP Works:

  1. The client sends the serial number of the certificate to the OCSP responder.
  2. CogVA checks the certificate status against an up-to-date CRL and replies with one of three responses:
    • Good: The certificate is valid.
    • Revoked: The certificate is no longer trustworthy.
    • Unknown: The responder cannot determine the status of the certificate.
  4. CogVA digitally signs the OCSP response and returns it to the client.
  5. The client validates the OCSP response signature and accepts or rejects the certificate based on the returned revocation status.

This diagram shows a typical OCSP flow:

Advantages of OCSP compared to CRLs:

  • Real-time validation: OCSP provides immediate feedback on the status of a certificate, reducing the risk associated with outdated CRL checks.
  • Lower data usage: Requests are specific and significantly smaller than downloading entire CRLs.

CogVA supports OCSP responses for online issuing CA's as well as for offline root CA's. This allows for all certificates up to the root to be efficiently validated using OCSP. When using online CA's, CogVA is capable of automatically issuing and renewing OCSP responder certificates as required.

CogVA supports storing private keys on a Hardware Security Module (HSM). This improves security by ensuring that private keys can only be used for OCSP signing and cannot be exfiltrated. CogVA uses the standard PKCS #11 (Cryptoki) API, which allows it to work with a wide range of HSMs. CogVA can automatically renew HSM-backed private keys and OCSP certificates before expiry.

OCSP Stapling with CogVA

OCSP stapling is an enhancement to the traditional OCSP process that provides significant benefits in terms of privacy, performance, and efficiency. In a standard OCSP process, the client directly contacts the OCSP responder (i.e., CogVA) to verify the status of a certificate, which can raise privacy concerns as it can reveal user browsing behaviour. OCSP stapling mitigates this by enabling the web server to periodically obtain an OCSP response from the responder proactively and include this response in the TLS handshake when communicating with clients. This means that the client can verify the status of the certificate without needing to directly contact the OCSP responder, thereby preserving user privacy.

Moreover, OCSP stapling reduces latency and improves performance, as the client no longer needs to make an additional request to the OCSP responder, shortening the time taken for secure connections to be established. This enhancement contributes to more efficient resource usage and a smoother user experience, especially during high-traffic conditions. Organisations using CogVA can seamlessly integrate OCSP stapling into their infrastructure to leverage these benefits and maintain robust, secure, and privacy-respecting communication channels.

Authority Information Access (AIA) and Policy Information

Authority Information Access (AIA) is a mechanism that allows applications to retrieve important certificate information directly via HTTP. This data is embedded within certificates and provides a link to locations where the issuing CA’s certificate or OCSP responder information can be obtained. CogVA and Leviathan CA support AIA functionality to facilitate quick access to CA certificates and OCSP responders. This aids in certificate chain validation and confirms the trustworthiness of a certificate by referencing authoritative sources.

CogVA can also host policy information, such as certificate policy (CP) and certification practice statement (CPS) documents.

Why CogVA Matters

CogVA is an essential component of Jellyfish, enabling users to verify the validity and revocation status of certificates efficiently by offering a combination of CRL hosting, OCSP responder services, as well as AIA and certificate policy support.

It addresses these critical areas:

  • Enhanced Trustworthiness: By providing mechanisms to verify certificates via CRLs and OCSP, CogVA strengthens the trust framework needed for secure digital interactions.
  • Efficiency and Real-time Responses: The OCSP service allows for quick and efficient checks, significantly reducing the potential for security lapses due to outdated validity information.
  • Scalability and Accessibility: The hosting of CRLs and CA certificates over HTTP ensures widespread accessibility, promoting secure communication at scale. CogVA uses a highly scalable and resilient microservice architecture, ensuring it can continue to operate even if other parts of the service are degraded.