[caops-wg] OCSP validation performance in Grid environments

[Jesus Luna]

Hello again (one more time!),
Even though we are still in the process of formally publishing this 
info, we would like to comment about the results obtained at this date 
with OGRO+Grid Validation Policy+GT4. Maybe some of them could be 
interesting for the "OCSP Requirements for Grids" document.
We have measured the time elapsed in validating through OCSP (OGRO) a 
Proxy Certificate Path  i) at the client-side when the user creates it 
by executing "grid-proxy-init" and, ii) at the server-side when the 
GT4's WSRF Container receives a Grid Service invokation (CounterService) 
through the secure message mechanism. In both cases we were using 
different Grid Validation Policies to understand the overhead introduced 
when customizing parameters like use of digital signatures, nonces, 
HTTP/HTTPS,  fault tolerance, etc.
In most of the cases the results showed that the decision to protect the 
OCSP Request with digital signatures, nonce and HTTPS introduces an 
overhead which is practically non-existent when compared with the 
overhead of  communicating with the OCSP Responder itself.
To aliviate such overhead we have implemented a mechanism called 
pre-validation, which embeds the OCSP Response as a Proxy Certificate 
extension when such credential is being created by the client. When the 
server needs to validate such data, it merely needs to extract the 
pre-validation data from the Proxy and procced with the usual OCSP  
verification process. In our tests we have measured elapsed times 30% 
lower than those obtained with "traditional" OCSP validation at the 
server (WSRF Container).
Hope this information may be useful for the document.

Best regards (finally!),

Oscar & Jesus