Enterprise suite lends validity to certificates

ValiCert Inc. is addressing the problem of validating certificates for public key infrastructure (PKI) and digital certificate systems by allowing users to host their own certificate revocation data for both internal and external queries.

Designed to sit side-by-side with a company’s certificate authority software, ValiCert Enterprise VA 2.0 provides validity status responses for any X.509 certificate, using many current validation mechanisms including Certificate Revocation Lists (CRLs); On-line Certificate Status Protocol (OCSP); CRL Distribution Points (CRLDP); as well as ValiCert’s Certificate Revocation Tree (CRT) validation. Both on-line and off-line status checking are supported.

According to Sathvik Krishnamurthy, vice-president of marketing and business development at ValiCert, one of the challenges of having multiple certification authorities (CAs) is that they support different methods of validation. Often, just having a CA is not enough, he said.

“Certificate authorities focus on creating digital certificates and managing their certificate lifecycle. So they are good at user authentication and issuing digital certificates. But there needs to be a separation of duties between a certificate authority and a validation authority,” he explained.

“Validation authorities serve as the checks and balances for certificate authorities, so that the place people go to determine the trust status of a certificate is different than the place where someone got the certificate in the first place.”

The suite includes an E-Mail Validator, which plugs in to Secure MIME-based e-mail clients; an Address Book Validator, which regularly scans certificates within an e-mail name and address book to see whether they are valid; and a Browser Validator, which allows end-users within a company to be alerted if a commerce server is using a Secure Sockets Layer certificate that has been revoked. There is also a new Validator Toolkit to allow integration into applications and a VA Publisher, which distributes regularly updated CRL information from various CAs to ValiCert’s server.

“Whenever there is a change in validation status of a credential, it gets pushed into the system. So there’s a very small latency between a revocation event and its appearance in the infrastructure,” Krishnamurthy said.

Also new to version 2.0 is Online Certificate Status Protocol (OCSP) support and plug-ins to certificate-enabled applications including Outlook 98 and Windows Address Book, as well as various Web servers and browsers.

Queries to the system can be set up according to corporate policy, and receipt of an invalid certificate may include actions such as shutting down the system, warning the user or ignoring the file and logging it for future reference.

“That allows users to automatically and transparently confirm the status of a certificate before they actually use it, so that it can elevate the level of trust of the system to the highest level possible,” Krishnamurthy said.

Tyson Macaulay, chief technical officer of General Network Services Inc., an Ottawa-based PKI software firm, said his company is integrating the Enterprise VA Suite into its own product so that people can send reliable information from different PKIs in heterogeneous environments.

“If you have a key but you don’t check the status of it then it’s not really worth a lot. So the ValiCert system allows you to apply automatic status checking to the keys you are using,” he said. “But it goes beyond that, because it allows you to check the status of certificates from other PKIs.”

Jonathan Penn, senior analyst at Ferris Research Inc. in San Francisco, said the product helps solve the problem of ensuring a certificate’s validation at the time it was sent.

“When you start talking about using certs outside of your own organization…then there comes the issue of not so much recognizing it as seeing that it hasn’t been revoked. That’s the validation issue,” he said.

“The CA is going to have information about its own certificates, and that is going to be extremely timely because it controls that information. But it’s not going to have the information, not in a timely way, for other CAs and those certificates. So [this product] adds functionality; it adds a critical piece to the puzzle.”

According to Penn, this type of validation is especially important when dealing with high-value transactions. “And the higher the value of the transaction, the more timely you need the validation information,” he said.

“There aren’t really other products like this. [ValiCert is] filling a very critical need.”

ValiCert Enterprise VA Suite (www.valicert.com/products/server/) sells for US$25,000 for 25,000 users.

ValiCert in Mountain View, Calif., is at (650) 567-5400.