X.509 PKI
Features
Registration Authority (RA)
- Verifies the SSOCircle identity
- Checks that the signing request is compliant to SSOCircle rules
- Binds a certificate to a SSOCircle identity
Certification Authority (CA)
- Signs and Issues Certificates
- Webform based automatic enrollment for Internet Explorer and Firefox compatibles
- Enrollment for PKCS#10 Certificate Signing Requests (CSR)
- Certificate Revocation – in case that your certificate gets compromised
Validation Authority (VA)
- Checks the validity of a Certificate at sign on
- Checks validity period, issuer and signature
- Checks revocation status
- Checks that the certificate is bound to a specific SSOCircle user
Benefits
- Strong Authentication to the Identity Provider
- support for configuration and enrollement to USB smartcard token
- passwords/pins will not be sent over the internet – network sniffing of passwords impossible
- no phishing vulnerability – no faked LogIn form can intercept and read your credentials
About Public Key Infrastructure
A private/public key pair allows signing and encryption of messages like e-mails and can be used for authentication. The possession of a key pair does not provide a way of verifying that the user is who he pretends to be. To complement this information someone is needed who asserts that the owner of a specific key pair is identity X. That someone is the CA and the attestation used is the certificate. The certificate basically wraps the public key and augments it with information about who the user is – the certificate subject – and a validity period of the certificate. The information is signed by the CA, so that information cannot be altered. The ITU-T standard which describes the format of a certificate is X.509.
A certificate is similar to your passport, which states that you are Mr. or Mrs. X and has some sophisticated methods to assure that the identity statement cannot be modified.
The Registration Authority in the real life example mentioned above would be the passport authority and the binding would be done through a certificate of birth, a social number or similar, depending on the country you are in.
An example of a real life Validation Authority is the passport inspection when entering a country. They check your passport by comparing the photo or other biometric methods in your passport with the person itself, which means s.th. noted in the passport will be compared to something the person has.
In the internet world such a visual inspection might not be suitable. In that case this “something a person has” is his private key. By encrypting or signing a message the sending person is identified because it is only the matching public key that is able to decrypt or verify the message. Yes, exactly that public key wrapped inside the certificate which states the binding of Mr. or Mrs. X to the public key.
Getting started with the SSOCircle PKI
- Register your account with SSOCircle if not done already
- Sign in to the self administration area
- Use the enrollment process there – either automatic or manual
- Follow the steps from key generation to signing and importing your certificate
- Sign out and then sign in using the cert based login button at SSOCircle login page.
- Publish your certficate to your OpenID public profile – for additional use like email encryption and signature verification. See how our demo user Max Mustermann did it.
If your security requirements need a stronger authentication. Get the ePass or StorePass USB smart card devices and follow the automatic enrollement procedure described above. Get the token at RS-Computer.