Business Needs
Communicating over the internet requires trust in the electronic identity (eID) of the transacting parties. Only after such trust is established should access be granted to online systems and web-based resources, and only then should digitally signed agreements be accepted with confidence.
The use of PKI-based digital certificates is a long-accepted technique for managing electronic identities. It forms an essential element in securing communications channels within protocols such as SSL/TLS and IPSEC. Digital passports and citizen eID cards with embedded digital certificates that confirm the identity of the holder are becoming more common.
All these digital certificates need to be validated by relying parties since they may have been compromised or revoked after issuance. They also need to be checked because there may be a range of certificates issued by different issuers under different security policies to meet different trust levels. Deciding which digital certificates to trust can be a complicated task.
Ascertia provides a one-stop shop to meet all such electronic identity validation requirements. We have the widest range of digital certificate validation servers, clients, plugins, SDKs as well as test and management tools.
Signature Verification Simplified
Ascertia's ADSS Server is based on industry accepted protocols for communicating with an e-Trust server, including OASIS Digital Signature Specifications (DSS and DSS-X), W3C XML Key Management Specifications (XKMS) and IETF RFC 5055 Server-side Certificate Validation Protocol (SCVP) for full certificate validation, IETF RFC 2560 Online Certificate Status Protocol (OCSP) for real-time revocation status checking, and X.509 v2 CRL monitoring and archiving, includes handling of indirect and delta CRLs.
The following table shows the products that are appropriate to meet various business needs:
Validation Authority Servers
OCSP Server Validation Authority
For providing certificate status information on behalf of multiple digital certificate issuers each with unique validation policies
Web Services Validation Authority
Based on OASIS DSS-X Verification reports interface for fully validating a digital certificate (e.g. building chain, checking expiry, checking revocation, checking quality according to PEPPOL requirements etc.)
Web Services XKMS Validation Authority
Based on W3C XKMS Validation Service protocol for fully validating a digital certificate (e.g. building chain, checking expiry, checking revocation, checking quality according to PEPPOL requirements etc.)
SCVP RFC 5055 Validation Authority
Based on IETF SCVP protocol for fully validating a digital Certificate (e.g. building chain, checking expiry, checking revocation, checking quality according to PEPPOL requirements etc.) Validation Clients
OCSP/CRL plug-in for CAPI
For Microsoft and 3rd party CAPI applications (like Outlook, IE, etc.). Able to check certificate status using real-time OCSP, CRLs or cache. Supports GPO central management and user friendly messages.
Server-side OCSP plug-in
Server-side OCSP/CRL component for checking certificate status on servers such as Microsoft IIS or Domain Controllers for smartcard based Windows Logon.
OCSP Service Monitoring & Reporting
Essential to ensure that an OCSP Validation Authority is available and responding according to agreed SLAs. Provides email & SMS alerts to administrators.
CRL Service Monitoring & Reporting
Essential for checking that readable, trustworthy and valid CRLs are being published on time according to the stated certificate policy. Provides email & SMS alerts to administrators.
OCSP Performance Tool
For stress testing the performance of an OCSP Validation Authority.
OCSP Policy Validation Tool
For checking that OCSP Validation Authority validation policies are correctly implemented.