When signed data is received, it is necessary to check that the signature is valid. This means establishing a chain of certificates from a trusted root to the signature and ensuring that none of the certificates have been revoked. Often the certificates are delivered along with the data, but sometimes they are not and the client must fetch them from a remote repository. To check if any of the certifications in the chain have been revoked, either lists of revoked certificates must be consulted or an online service must be contacted to check them.
The role of the DIG is to control the lookup of certificates, the retrieval of certificate revocation lists and the use of online services in both directions.
Certificates are often retrieved from a Directory Server using the Lightweight Directory Access Protocol (LDAP) .
The DIG acts as a proxy for LDAP, terminating it, extracting the certificate lookup request parameters, passing them through a checker, forming them into a new LDAP lookup request and delivering this to the Directory Server. The response to the lookup is treated in a similar way, with the certificate being extracted from the response, checked for validity and then returned in a newly formed LDAP response.
Certificate revocation lists may also be retrieved using LDAP and the DIG controls this communication in a similar way.
Certificates and revocation lists can also be retrieved using HyperText Transfer Protocol (HTTP), in which case the DIG uses components of Deep-Secure’s Web Guard to perform similar checks on the HTTP traffic.
Online Certificate Status Protocol (OCSP) is the standard protocol for checking certificate status with an online service. This uses HTTP as a transport and again the Deep-Secure Web Guard’s used to allow the DIG to proxy the requests and responses.
Native support for LDAP based identity retrieval
Intuitive integration with Deep-Secure’s Web Guard to provide support for HTTP or OCSP-based identity retrieval
Built around core Deep-Secure Guard technology