Home > ADSS OCSP Service > Support for Multiple Trust Models

Support for Multiple Trust Models

Successful OCSP responses from the OCSP service are digitally signed so that Relying Parties (RP) can authenticate the responses and thereby prevent an attacker from spoofing the OCSP service. The OCSP service therefore uses public/private key pairs for signing OCSP responses.

How the public keys of the OCSP service are certified will depend on the particular trust model adopted by your PKI. For example, imagine a scenario where a PKI is established with a Root CA and a Sub CA, and an OCSP responder. Let's assume the purpose of the OCSP responder in this scenario is to provide status information for the certificates issued by the Sub CA.

In this case the options for certifying the OCSP server are as follows:

The OCSP service supports all of these trust models and generally each CA registered on OCSP service can choose the trust model it wishes to follow. The figure below illustrates the first three trust models (the black arrows representing certificates issued by one entity to another):

See also