PKI Resource Query Protocol (PRQP) Deployed by Federal Bridge and OpenCA

A fairly new and unknown protocol, the PKI Resource Query Protocol (PRQP) developed in the IETF PKIX Work Group, is being deployed by the US Federal Bride and OpenCA, reports the editor of the current draft, Massimiliano Pala.

The basic idea of the PRQP protocol is to provide a query response protocol which allows a client to request URLs of resources associated with a CA.
provides “discovery” for any services (current and future) such as:
  • Repositories (CRLs and Certs)
  • Validation Services (OCSP, SCVP, etc...)
  • Other Services (TimeStamping, Revocation, Subscription, etc... )

In current deployment of PKI, the ability to link CA related services to a certificate is provided through the Authority Information Access (AIA) extension. However the AIA extension comes with two significant problems.

  1. When the AIA is used to locate a certificate status checking service, the URL in the AIA extension have to be used before the certificate is validated. This opens up for Denial of Service (DoS) attacks.
  2. The information in AIA is static. It can’t change once a certificate is issued

The primary advantage of this protocol is therefore that it allows dynamic assignment of URLs to important resources and hence makes the whole infrastructure more flexible.

  1. The current Draft of the PRQP protocol
  2. The basic outline of the protocol in the original presentation from the 69th IETF (PDF)
  3. The OpenCA project page - with source download