The Desktop Validator (DV) product is a client solution for enabling digital certificate validation in the most commonly used Microsoft Windows applications.
DV integrates seamlessly with any Microsoft Cryptographic API (CAPI) compliant application by acting as a CAPI certificate revocation status checking provider that can validate all digital certificates encountered by PKI enabled Windows applications. DV supports CA specific validation rules, and can be tightly integrated with the VA Server for automatic configuration. DV provides a robust fail-over mechanism that supports multiple sources of revocation information. DV is highly available and can be remotely installed, configured and maintained using applications such as Microsoft SMS CA Unicenter, or Microsoft Active Directory.
Key Benefits
• Ensure mission-critical Windows applications such as system and network authentication, sending and receiving secure email, communicating with secure web servers, or authoring and reading digitally signing documents, do not rely on expired or revoked digital certificates.
• High-performance, high-availability solution with support for multiple digital validation mechanisms and high scale deployments.
• Part of a comprehensive solution that allows organizations to leverage their PKI to safeguard their Microsoft Windows based applications.
• Open standards based – easy to integrate, easy to evolve – and commercially integrated with numerous partner applications.
DV is available in Standard and Enterprise editions. DV Standard enables digital certificate validation in desktop applications like Microsoft Internet Explorer, Outlook, Outlook Express, Adobe Acrobat, or Silanis ApproveIt. DV Enterprise enables certificate validation in Microsoft Windows Server applications like Domain Controller, Internet Information Server, and Exchange Server.
With DV, enterprises can deploy single sign-on applications based on digital certificates stored on smart cards such as the DOD Common Access Card. DV enables secure workflow applications based on digitally signed documents and secure email (S/MIME) messages.
The Tumbleweed Desktop Validator (DV) leverages the native Microsoft Windows Cryptographic API (CAPI) so it can transparently provide digital certificate validation to CAPI enabled client or server applications. DV enables digital certificate validation via standard protocol queries to a VA Server (or other OCSP or SCVP standards based responder) or via CRL lookups. The reliability and performance of CRL lookups can be greatly improved by using the VA Server and the Tumbleweed VACRL protocol to distribute CA or VA manufactured CRLs and delta CRLs to DV enabled systems.
DV is CA neutral and can support CRL data from multiple CA or VA sources and provides a robust mechanism for CA specific validation policies. DV can support complex trust models and supports RFC 3280 certificate policy controls for path processing and policy enforcement. DV will perform end-to-end (complete) certificate validation if one or more intermediate CAs or VAs are used, and the validation policy requires end-to-end (complete) certificate chain validation.
DV can communicate securely with a VA Server by utilizing SSL/TLS. DV supports different trust models and can support validation of the VA Server certificate. DV can also digitally sign requests to the VA server for deployments that require a high degree of audit and non-repudiation. DV also offers support for digital certificates stored on smart cards.
DV provides support for two separate, configurable validation caches. One is an in-memory repository of all certificate validation requests, regardless of the validation mechanism used. The other is a disk-resident CRL repository. Caching parameters, including the time-to-live of response and the total size of the cache, are flexible to meet the requirements of a specific deployment. Caching can be used to improve performance and increase reliability in environments where the underlying network is not always available.
DV can be managed through an easy to use graphical user interface. Additionally DV can be automatically configured using parameters obtained from the VA Server. This integration between the DV and the VA Server greatly facilitates the operation of DV in a large-scale application deployment. DV also provides well tested support for numerous proxy servers and load balancers.
A key application of DV is smart card login. To enable Tumbleweed's revocation checking for users' smart card certificates, DV Enterprise is installed on the Domain Controller and DV Standard is installed on the client systems. DV can check for revocation status using different protocols, CRLs, or utilize it cache to ensure performance and a high degree of reliability.
|
