Kiuru Validator is an RFC 5280 certificate path validator especially developed for Mobile Signature Services (MSS) and Mesh environments. In a MSS Mesh environment all Mesh members including Verifying Entities can decide which certificate issuers they trust. Kiuru Validator does this by explicitly declaring trusted issuers instead of allowing the RFC 5280 iterative certification path building. All accepted certification path trees must have a Trust Anchor at their root.
The key features of Kiuru Validator are:
- Explicit configuration of Trust Anchors without using Java supplied trust anchor collections
- Explicit configuration of accepted Intermediate CA Certificates
- Explicit configuration of CRL data sources used in certificate validation
- Explicit configuration of approved OCSP service locations with option to allow fallback to CRL data if the online version isn’t working
- Explicit configuration of approved branches of the Trust Anchor trees that are delegated to external DSS validation, each with approved identities of said external validators
- High performance interface for Kiuru MSSP server and flexible integration interface for other services (DSS)
For performance reasons Kiuru Validator pre-loads CRL data periodically at configurable intervals to decouple the actual usage of the CRL data from the loading of it. The CRL data is also cached into a local database. This combination allows the CRL data to be at hand very quickly at system restart, and intermediate connectivity problems or other issues preventing access to on-line CRL data will not cause immediate validation service denial.
All end-user certificates as well as pre-registered Intermediate CA certificates must be able to be checked against a CRL, OCSP or DSS as the configuration defines. (Kiuru MSSP allows also routing of DSS requests.)
Kiuru Validator provides internal interface for: