CertCo Inc. last week released CertValidator, a solution designed to provide an extra level of trust for digital certificates by automatically checking whether a certificate is still considered valid by its issuer.
Digital certificates are one of the most trusted ways of authenticating the identity of a party transmitting a document or completing a transaction, and they are the basis of the public-key infrastructure (PKI) solutions that many agencies are putting in place to secure interactions over the Internet. And a key issue in determining the validity of a certificate is whether it has been revoked or suspended by its certificate authority.
This is what CertValidator checks to make organizations feel more comfortable using digital certificates for high-level transactions, whether they are exchanging money or information, said Brian Skedd, vice president of products and services with CertCo.
"It enables higher levels of trust to be introduced to higher-value, higher-level transactions," Skedd said. "Not only do the receivers of the certificate want to know that [the certificates] have been issued by a trusted authority ... but also that it is still trusted."
Most PKI-enabled applications, including most e-mail clients, World Wide Web browsers and Web servers, are not able to validate the status of digital certificates, said Diana Kelley, a senior security analyst with the Hurwitz Group. Therefore, she said, CertValidator brings a definite value to the security market. "It will check that the certificate hasn't expired, but it doesn't check the actual revocation," Kelley said. "But [that check] is absolutely essential to have any security."
CertValidator is based on several standards, including the emerging online certificate status protocol (OCSP) established by the Internet Engineering Task Force, an industry consortium. The technology stores in a repository the certificate revocation lists (CRLs) maintained and updated by certificate authorities and registration authorities for the status of all certificates, saving organizations the time it takes to continually request the CRLs.
The product also is compatible with many of the most popular PKI solutions, including those from Baltimore Technologies Inc., Entrust Technologies Inc., GTE CyberTrust, Microsoft Corp. and VeriSign Inc. This is important in the federal market considering the number of PKI solutions that have been and will be deployed just within one agency, Skedd said.
"We are aiming that CertValidator will sit within a ring of PKIs," he said.
Also, any time a certificate's status is requested from the repository or information is updated, the system logs it, creating an audit trail. And every action is signed with a digital signature, ensuring that it has not been tampered with, Skedd said.
"All interactions with the server are logged in a secure way," he said. "If anybody attempts to change critical information within the secure store, it will be observed that it has been changed."
All of this is more than is available from most vendors, especially the use of OCSP, and is a critical piece of a truly secure PKI solution, Kelley said. But at the same time, CertValidator's reliance on CRLs leaves it open to some of the same problems as faced in the past, Kelley said.
"It will inherit all the data latency of the back-end certificate revocation list," she said. Such lists usually are not updated more than once a day, which means that a certificate revoked within that time could still slip through, she said.
To address this issue, CertCo has included its Fast-Path Revocation and Fast-Path Suspension technologies in CertValidator. These allow an administrator to revoke or suspend a certificate that is suspect without waiting for the certificate authority to issue its next CRL.
"You cannot always afford to wait for CRLs to be approved," Skedd said.
In the future, this type of product could be used to provide even more real-time information about certificate holders, said Peter Lieberwirth, vice president of engineering at CertCo. But the company's first priority will be to get more application vendors to include support for the verification technology in their products, he said.
"We want to help industry move forward in terms of applications and tools that are using this technology," he said.