Communicating over the internet requires trust in the electronic identity (eID) of the transacting parties. Only after such trust is established should access be granted to online systems and web-based resources, and only then should digitally signed agreements be accepted with confidence.
The use of PKI-based digital certificates is a long-accepted technique for managing electronic identities. It forms an essential element in securing communications channels within protocols such as SSL/TLS and IPSEC. Digital passports and citizen eID cards with embedded digital certificates that confirm the identity of the holder are becoming more common.
All these digital certificates need to be validated by relying parties since they may have been compromised or revoked after issuance. They also need to be checked because there may be a range of certificates issued by different issuers under different security policies to meet different trust levels. Deciding which digital certificates to trust can be a complicated task.
For US Federal and Defence organizations FIPS 201 certified validation products are required to ensure that PIV certificates are properly checked and fully validated according to the latest PKITS requirements and function correctly during complex delegated path discovery and delegated path validation within the Federal Bridge PKI environment.
Ascertia provides a one-stop shop to meet all such electronic identity validation requirements. We have the widest range of digital certificate validation servers, clients, plug-ins, SDKs as well as test and management tools.
Signature Verification Simplified
Ascertia's ADSS Server is based on industry accepted protocols for communicating with an e-Trust server, including OASIS Digital Signature Specifications (DSS and DSS-X), W3C XML Key Management Specifications (XKMS) and IETF RFC 5055 Server-side Certificate Validation Protocol (SCVP) for full certificate validation, IETF RFC 2560 Online Certificate Status Protocol (OCSP) for real-time revocation status checking, and X.509 v2 CRL monitoring and archiving, includes handling of indirect and delta CRLs.
The following table shows the products that are appropriate to meet various business needs:
Validation Authority Servers
OCSP Server Validation Authority
To provideonline certificate status protocol (RFC 2560 OCSP) information on behalf of multiple Certificate Authorities each assigned a unique validation policy, FIPS 201 certified
SCVP Server Validation Authority
IETF RFC 5055 SCVP protocol for fully validating a digital Certificate by building the chain, checking each cert expiry, and revocation status, FIPS 201 certified
Web Services XKMS Validation Authority
Based on W3C XKMS Validation Service protocol for fully validating a digital certificate (e.g. building chain, checking expiry, checking revocation, checking quality according to PEPPOL requirements)
OASIS Web Services Verification Authority
Uses OASIS DSS-X Verification reports when fully validating a digital certificate (e.g. building chain, checking expiry, checking revocation, checking quality according to PEPPOL requirements)