Complete software solution that enables digital certificate validation in a scalable, secure and cost effective manner.
A digital certificate provides a secure way to authenticate the identity of a person or computer. Unfortunately, authentication does not determine whether the certificate itself is still valid, or whether its associated roles and privileges are still current. A relying party must check for status changes and revocation to implement a truly secure Public Key Infrastructure (PKI). This validation check must be both fast and secure to support a medium to large PKI environment.
Classically, there have been two approaches to certificate validation. In the first solution, a trusted authority periodically publishes a signed master list of all valid or revoked certificates. This Certificate Revocation List (CRL) rapidly grows to an unusable size for environments with more than a few thousand certificates.
The second approach requires direct communications to a secured, trusted authority that can verify the validation status of each certificate. This approach, known as Traditional OCSP, requires each validation server to be protected against both physical and network attacks, since any successful compromise can allow an intrusion by revoked or stolen certificates. The security risks and associated costs make this approach unacceptable for most medium and large PKI environments with more than one validation authority.
HID Global’s ActivID Validation Authority (VA) provides a revolutionary third approach for digital certificate validation, called Distributed OCSP. This is based on the centralized (potentially offline) generation of signed validation proofs that can be published through an extremely scalable network of lightweight, unsecured Responders.
The VA serves as a fully compatible drop-in replacement for a Traditional OCSP infrastructure to offer radically improved security, at a fraction of the total cost.