Trust in real time for secure digital certificates

Every day in the global electronic marketplace millions of transactions take place. Understandably all parties depend on the validity of digital certificates that underpin such transactions. Now a new service promises real-time certificate validation and revocation, a major step forward in terms of trust and security.

CertiVeR, an eTEN programme project that ended in April 2004, developed and launched a complete and decentralised service for certification authorities (CAs) and other users. The technology – a secure online certificate status information system – has resulted in a high performance, flexible service available 24/7 that validates and revokes digital certificates in real time.

"Now, users can be sure that the digital credential is secure and valid," explains CertiVeR's Oscar Manso. "A digital certificate is like a passport. If it is stolen, it can be reported and cancelled, or revoked."

CertiVeR offers a certificate validation and revocation service with the corresponding Online Certificate Status Protocol (OCSP) publication. This enables the user to verify the state of a specific certificate before executing any operation or transaction upon it. The system is available to any certificate authority in the world, but the consortium is focusing on Europe where the e-Signature Directive requires the provision of this service across all EU Member States.

Organisations need enhanced security for data and strong credentials for identity management. Certificates are used to secure data and manage identification credentials from users and computers both within and outside an organisation. A public key infrastructure (PKI) is the combination of software, encryption technologies, processes, and services that enable an organisation to secure both its communications and business transactions.

The ability of a PKI to secure communications and business transactions is based on the exchange of digital certificates between authenticated users and trusted resources. Digital signatures are often used in the context of PKI schemes in which the public key used in the signature scheme is tied to a user by a digital identify certificate issued by a CA.

CAs issue digital certificates for use by other parties. These trusted third parties are critical to many PKI schemes. Many commercial CAs charge for their services, while institutions and governments may have their own CAs.

Timeliness is critical
The use of electronic signatures requires the verification of the signature policy, which includes the validation of all the certificates in the signer’s certification path. However, as Manso explains, the time between when a certificate may have been revoked and the time the new Certificate Revocation List (CRL) is released, could be significant.

A CRL is a list of certificates and their serial numbers that have been revoked, are no longer valid and should not be relied upon by any system user. For example, a certificate is revoked if the CA had improperly issued a certificate or if a private key is believed to be compromised. In the past, CAs did not use an online validation service, resulting in delays of up to one week.

"Because CertiVeR operates in real time, this security barrier is overcome," he says. "CertiVeR can be connected to all CAs in Europe to refresh the status of certificates. Users can now have a single access point. Certificate revocation is easier and safer, which increases transaction confidence, and there is now a single phone number to revoke all certificates."

Building on successful pilots
CertiVeR establishes secure connection interfaces with the CAs to obtain identification information about a user. Several identification systems can be used to identify CA users, including voice biometrics. When a user wants to revoke a certificate, a call is made to the central revocation number. The automated call centre system tries to verify the identity of the caller through voice recognition technologies.

If the automated system is unable to verify the call, it is transferred to an operator who tries to determine the user's identity by means of secret questions and general information stored. Once a user is validated into the certificate revocation system, the user can suspend or activate any certificates in real time.

CertiVeR's online certification status information system was originally developed to fill the needs of the financial sector. A secure central repository for certificate revocation information creates and manages revocation documents and authenticates requests following the requirements of the ISO 10779 standard.

Twelve pilots at European and global level include three currently running that, according to Manso, are performing "very well". A significant pilot ran with TERENA (Trans European Research and Education Networking Association) in The Netherlands. In this instance, the consortium created TACAR, TERENA's Academic CA Repository, and worked on getting the appropriate root CA certificates needed by users' browsers in a practical and cost-effective manner.

Also significant was the Global Grid Forum (GGF) pilot, where CertiVeR participated in the development of standards recommendations to extend and apply the OCSP on Grid environments.

End users benefit from economies of scale
CAs, both private and public, would profit from CertiVeR's real time information. This level of service is far too complex and expensive to be run individually. Cost savings are realised as a result of the technical, managerial and R&D economies of scale.

"CertiVeR offers an entire infrastructure of personnel, call centres and teams that offer a tailored service," says Manso. "We provide a solution to the expensive problem of delivering the service to revoke a certificate 24 hours a day, 365 days a year."

CertiVeR also participated in the production of open source tools and demo environments to promote the adoption of real-time validation environments at global level. The consortium is now targeting software developers to simplify the validation so they can create applications with a single point of access.

"Other end users can take advantage of CertiVeR's infrastructure to validate and use their digital signatures for activities such as electronic bills and online transactions," he adds. "The potential for B2B and B2C applications is huge."

The system is now "fully proofed". Commercial agreements have been established with Camerfirma (Spain), Sigillum (France) and Intermark (Spain), safely validating certificates belong to more than 60 CAs from a single access point. SeMarket (Secure Electronic Market, Spain) has been working on integrating CertiVeR into its SeCluster platform, which comprises a full range of services for the application of digital signature at many levels.

Manso expects a full-scale marketing effort to be launched this October.

Contact:
Oscar Manso
C/ Diputació 238, ent. 1ª
E-08007 Barcelona
Spain
Tel: +34-93-3186736
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Source: IST Results Portal

Most Popular Now

AI Points the Way to Better Doctor-Patie…

A computer analysis of hundreds of thousands of secure email messages between doctors and patients found that most doctors use language that is too complex for their patients to understand...

Open Call DIGITAL-2021-DEPLOY-01-TWINS-H…

The development of digital twins in healthcare (DTH) has progressed substantially, profiting from advances in science and technology. In order to exploit their benefits in view of better prevention approaches...

Mayo Clinic Researchers Use AI, Biomarke…

Treatment options for rheumatoid arthritis have often relied on trial and error. Now Mayo Clinic researchers are exploring the use of artificial intelligence (AI) and pharmacogenomics to predict how patients...

Mjog by Livi Launches Remote Monitoring …

Mjog by Livi has launched a remote monitoring tool that will help GPs support and monitor people with depression through messages sent to their smartphones. The latest data from the Office...

Could EKGs Help Doctors use AI to Detect…

Pulmonary embolisms are dangerous, lung-clogging blot clots. In a pilot study, scientists at the Icahn School of Medicine at Mount Sinai showed for the first time that artificial intelligence (AI)...

Computer Model of Blood Enzyme

Membrane-associated proteins play a vital role in a variety of cellular processes, yet little is known about the membrane-association mechanism. Lipoprotein-associated phospholipase A2 (Lp-PLA2) is one such protein with an...

4.5 Million Euros in EU Funding for Saar…

This year, three computer scientists from Saarbrücken were awarded an "ERC Starting Grant" by the European Research Council. This award, endowed with 1.5 million euros each, is among the most...

2022 EU4Health Work Programme Adopted to…

Today the Commission has adopted the second EU4Health work programme. In 2022, the EU4Health will continue to invest in building stronger, more resilient health systems and pave the way for...

Five NHS Trusts in Surrey and Sussex to …

A consortium of NHS trusts that covers a population of circa 1.2 million will gain immediate access to important patient imaging, and will mobilise a regional workforce for patients, following...

Helping Cancer Patients Avoid Excessive …

A Case Western Reserve University-led team of scientists has used Artificial Intelligence (AI) to identify which patients with certain head and neck cancers would benefit from reducing the intensity of...

The Programme for the Union's Action in …

On 24 March 2021, Regulation (EU) 2021/522 of the European Parliament and of the Council1 was adopted as part of the Multiannual Financial Framework for the 2021-2027 period. That Regulation...

CliniSys Acquires HORIZON Lab Systems an…

CliniSys is announcing the recent acquisition of HORIZON Lab Systems and the combination with Sunquest Information Systems, as CliniSys. This acquisition and Sunquest combination creates one of the world’s...