Identity Validation

Business Needs

Communicating over the internet requires trust in the electronic identity (eID) of the transacting parties. Only after such trust is established should access be granted to online systems and web-based resources, and only then should digitally signed agreements be accepted with confidence.

The use of PKI-based digital certificates is a long-accepted technique for managing electronic identities. It forms an essential element in securing communications channels within protocols such as SSL/TLS and IPSEC. Digital passports and citizen eID cards with embedded digital certificates that confirm the identity of the holder are becoming more common.

All these digital certificates need to be validated by relying parties since they may have been compromised or revoked after issuance. They also need to be checked because there may be a range of certificates issued by different issuers under different security policies to meet different trust levels. Deciding which digital certificates to trust can be a complicated task.

For US Federal and Defence organizations FIPS 201 certified validation products are required to ensure that PIV certificates are properly checked and fully validated according to the latest PKITS requirements and function correctly during complex delegated path discovery and delegated path validation within the Federal Bridge PKI environment.

Ascertia provides a one-stop shop to meet all such electronic identity validation requirements. We have the widest range of digital certificate validation servers, clients, plug-ins, SDKs as well as test and management tools.

Signature verification simplified

Ascertia's ADSS Server is based on industry accepted protocols for communicating with an e-Trust server, including OASIS Digital Signature Specifications (DSS and DSS-X), W3C XML Key Management Specifications (XKMS) and IETF RFC 5055 Server-side Certificate Validation Protocol (SCVP) for full certificate validation, IETF RFC 6960 Online Certificate Status Protocol (OCSP) for real-time revocation status checking, and X.509 v2 CRL monitoring and archiving, includes handling of indirect and delta CRLs.

Use case mapping

The following table maps common use cases against Ascertia products. This is not a complete list of use cases, so do get in touch with us if you have any special requirements.

Use Case Ascertia Product(s)

OCSP Server Validation Authority

To provideonline certificate status protocol (RFC 6960 OCSP) information on behalf of multiple Certificate Authorities each assigned a unique validation policy, FIPS 201 certified

SCVP Server Validation Authority

IETF RFC 5055 SCVP protocol for fully validating a digital Certificate by building the chain, checking each cert expiry, and revocation status, FIPS 201 certified

Web Services XKMS Validation Authority

Based on W3C XKMS Validation Service protocol for fully validating a digital certificate (e.g. building chain, checking expiry, checking revocation, checking quality according to PEPPOL requirements)

OASIS Web Services Verification Authority

Uses OASIS DSS-X Verification reports when fully validating a digital certificate (e.g. building chain, checking expiry, checking revocation, checking quality according to PEPPOL requirements)

OCSP Service Monitoring & Reporting

Essential to ensure that an OCSP Validation Authority is available and responding according to agreed SLAs. Provides email & SMS alerts to administrators.

CRL Service Monitoring & Reporting

Essential for checking that readable, trustworthy and valid CRLs are being published on time according to the stated certificate policy. Provides email & SMS alerts to administrators.

OCSP Performance Tool

For stress testing the performance of an OCSP Validation Authority.

OCSP Policy Validation Tool

For checking that OCSP Validation Authority validation policies are correctly implemented.

Request Info

Submit

Sales Inquiries:
+44 (0)800 772 0 442

15

+
Years of Digital Signature
Innovation