Server & Desktop versions

ARP is a validation plugin for Windows CAPI on both desktop and server systems. This validation provider plugin interacts with either a user environment on desktop systems (Standard Edition) or a multi-user environment on a separate centralised server (Enterprise Edition).

• ARP Standard Edition - Designed to be deployed on corporate desktops ARP SE uses central management settings to determine the validation policy that should be enforced for checking the status of certificates used within any CAPI application.
• ARP Enterprise Edition - With ARP EE only a very light CAPI plugin (or Client SDK) is deployed to the desktop. ARP EE is deployed on a central server. It receives certificate validation requests from multiple ARP CAPI plugins and creates OCSP requests for forwarding to an OCSP responder, or depending on policy retrieves the relevant CRL. Once the status of the certificate is established, ARP EE Server replies back to the ARP CAPI plugin

Selective Invocation

It is possible for the administrator to configure which higher level applications can invoke ARP. This helps to streamline not only the user experience but also avoid unnecessary load on your back-end OCSP servers or CRL repositories. screenshot

Highly configurable Policy Engine

ARP can use the AIA extension and/or multiple defined addressed to find an authoritative OCSP responder.Cached OCSP responses can also be used. Similar options are available for processing CRLs. ARP has advantages for CRL users in terms of the visual warning on the user interface, i.e. configuring ARP to pop-up only when “Not Trusted” certificates are found. In these circumstances Windows alone would provide no further details, and no record of the validation attempt ! ARP allows users to visually see issues and then review the history of prior transactions so that meaningful dialogues can be held with support desk staff to identify and correct any issues arising. screenshot 1 | screenshot 2 | screenshot 3 | screenshot 4

Strong Security

ARP can be configured with the following security checks:

• Replay checks by using the optional nonce extension screenshot
• Use of OCSP over SSL screenshot
• OCSP request signing (using smartcard / secure USB token, or software key file PKCS#12/PFX) screenshot
• Ability to set clock tolerance levels screenshot
• Ability to set OCSP/CRL cache periods screenshot
• Ability to verify OCSP responder’s own cert chain screenshot
• Ability to verify if CA has authorised the OCSP Responder. screenshot

Management Flexibility

ARP can be configured and managed centrally using GPO options. Operators can define all the settings that control the OCSP validation requests created by ARP. The degree to which OCSP responses are validated is fully configurable. OCSP transactions can be conducted over SSL and through proxy machines.

Zero Integration for Windows® CAPI applications

ARP Standard Edition installs itself as a revocation provider within the Microsoft Windows CAPI environment. This means that applications such as Microsoft Outlook, Internet explorer and Word and other third party CAPI-enabled applications can make use of ARP Standard Edition automatically. Note: For Windows Logon status checking ARP Enterprise Edition is required

ARP Enterprise Edition SDK

ARP is available in server mode for identity checking in server applications like Microsoft IIS, see ARP Enterprise Edition for more details. Ascertia also provides a ARP SDK for integrating ARP into your custom applications (including Java, VB and Delphi apps).

Simplified Results Windows

To aid end-user understanding ARP provides simple balloon windows with the certificate validation results:
The conditions under which these windows are visible in the system tray is configurable as well as the length of time they appear on the screen. Importantly you can configure ARP to only show validation failures so that users are not shown unwanted pop-up messages. screenshot 1 | screenshot 2 | screenshot 3 | screenshot 4

History Viewer

ARP comes with a detailed history viewer which retains recent validation transactions - be they checked via OCSP or CRLs. Users are able to review all recent validation requests and responses using a plain English interface e.g.
• Which application checked which certificate, when, what was the result for the certificate chain
• View the validation transaction details and see the request response messages in English. screenshot

OCSP Request/Response Viewers

By simply clicking on one of the transactions within the ARP History Viewer, an end-user can see the full OCSP request/response transaction. screenshot 1 | screenshot 2

Multiple Fallback Options

ARP can connect to multiple online OCSP responders and can thus switch to a resilient responder if the primary Validation Authority server fails. ARP supports the use of locally configured OCSP responder addresses as well as dynamically finding responders using the certificate’s AIA extension. screenshot

Support for CRLs

You may be required to use CRLs as a fallback option. Alternatively if you need to operate within a multi-scheme environment where some PKIs use OCSP based identity checking whilst others are CRLs-based, then ARP is ideal as it can automatically switch between the two modes depending on the certificate being validated. This is also very valuable when rolling out a new OCSP infrastructure to replace CRLs – ARP can handle both automatically. screenshot

Standards Compliance

ARP is completely standards based and complies with all relevant standards like RFC2560, X.509v3 Certificates, X.509v2 CRLs, CAPI, PKCS#12, SSL/TLS and LDAP.

PKI Neutral

As a result of its standards compliance ARP is fully PKI neutral and will work with PKI components from any vendor (this includes CAs, certificates, CRLs, OCSP responders, smartcards, etc.).

Certifications

ARP has been IdenTrustTM Compliance Program certified.