Validation authority

In public key infrastructure, a validation authority is an entity that provides a service used to verify the validity or revocation status of a digital certificate per the mechanisms described in the X.509 standard and .

Application

The dominant method used for this purpose is to host a certificate revocation list for download via the HTTP or Lightweight [Directory Access Protocol|LDAP] protocols. To reduce the amount of network traffic required for certificate validation, the Online [Certificate Status Protocol|OCSP] protocol may be used instead.

Advantages

While this is a potentially labor-intensive process, the use of a dedicated validation authority allows for dynamic validation of certificates issued by an offline [root certificate authority]. While the root CA itself will be unavailable to network traffic, certificates issued by it can always be verified via the validation authority and the protocols mentioned above.
The ongoing administrative overhead of maintaining the CRLs hosted by the validation authority is typically minimal, as it is uncommon for root CAs to issue large numbers of certificates.

Limitations

While a validation authority is capable of responding to a network-based request for a CRL, it lacks the ability to issue or revoke certificates. It must be continuously updated with current CRL information from a certificate authority which issued the certificates contained within the CRL.