According to FIPS 201, real-time certificate validation (which includes path validation and revocation status checking) is the preferred means for validating a PIV credential. Unfortunately today, this type of real time certificate checking using PKI technology, would pose an unacceptable performance problem for the PACS system. Recognizing this, FIPS 201 describes a system that stores certificate status locally and is called a
By capturing and storing the certificates from the PIV credential, it is possible to perform regularly scheduled revocation status checks even when the physical card is not available. If a certificate is found to be revoked, the associated PACS record can be updated with the appropriate status, thereby denying physical access. The system can also send an email to a distribution list upon finding a revoked certificate or upon taking action to suspend a card.
Section 7.4 of NIST SP 800-116 states, "Since certificate revocation is used as a mechanism to indicate that a PIV Card should no longer be considered valid, the caching status proxy should periodically re-validate all of the certificates in its database and deactivate the access privileges of any individual whose certificate has expired or has been revoked. Re-validation should be performed by the caching status proxy at least once per day."