PKI (HSPD-12) for controlling access to your web applications

Medical Technology, Healthcare & Government IT

.
Categories
Category Groups

If you’re looking for a quick and easy way to allow web applications to use your PIV cards and allow more thin-client solutions be HSPD-12 compliant, check out the Public Key Infrastructure Framework (PKIF) and WebCullis projects.

What’s slick about WebCullis is that it’s an IIS- and Apache-compatible web module that makes most of the process transparent. Here’s what the developers say about the projects, verbatim from their website:

PKIF provides a variety of capabilities useful in enabling applications, including:

  • Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments.
  • RFC 5280-compliant path validation.
  • Supports RFC 3852 (Cryptographic Message Syntax).
  • Supports RFC 3161 (Timestamp protocol).
  • New Supports RFC 5055 (SCVP) and RFC 4998 (ERS) along with RFC 5276 (SCVP/ERS wantBacks)
  • wxWidgets-based cross-platform GUI controls.
  • Enabling applications is simple.
  • Multiple certificate sources are supported, including LDAP-accessible directories, web servers, CAPI certificate stores, NSS certificate stores and other application-specified sources.
  • Can retrieve revocation information from local stores, application-specified sources (such as an LDAP directory) and follow CRL distribution points.
  • Can use OCSP responders specified in AIA extensions.
  • One or more trusted OCSP responder(s) may be configured for path validation.
  • Configurable to make the most of your infrastructure.
  • Configurations can be created centrally and pushed out using your existing management tools.
  • Much more. See the online developer’s reference for details.

Webcullis provides a simple, secure and flexible solution for integrating your PKI and your web aplications. Webcullis Feature:

  • Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments.
  • RFC 3280-compliant path validation
  • Cached validations to reduce server load for multiple requests
  • Simple configuration syntax
  • Access restrictions may be based on: Name constraints, Key Size, Extended Key Usage, Policy Constraints or Quality of revocation information
  • Allows the use of one or more LDAP directories for path building
  • One or more trusted OCSP responders may be configured for path validation
  • Webcullis trust roots are separate from the system trust roots, enabling server-side work-arounds for client-side bugs.
  • Access to resources may be controlled without configuring cumbersome mappings between certificates and system accounts on IIS.
Original Link

Leave a Reply