Memo Subject: Comparison of Validation Capabilities between Axway Desktop Validator and MS Windows Clients as well as Validation Authority Serv er and Windows Serv er Date: December 2016 1/5
1. Introduction This Document provides an overview of the differences between the Microsoft Windows Validation Options and Axway Desktop Validator Client. 2. Comparison Clients Feature Microsoft Windows Clients Axway Desktop Validator Client Support for OCSP/SCVP Trust Models. Digitally Signed OCSP Requests Support Direct and CA Delegated Trust Models. Supports Direct, CA Delegated, CA Designated, and VA Delegated Trust Models. Supports Digitally Signed Requests. SCVP Support Includes support for SCVP Request/Response. Custom Settings Override Status Special Treatment for Misc Statuses Send Request OCSP with Receive OCSP Response with CRL Management Features Defaults to OCSP-AIA and CRLdp. Capability to add additional OCSP URL per CA. Does not send NONCE in OCSP Requests. NONCE is Ignored in OCSP Responses. Only allows setting frequency of CRL fetching from published CRLdp URL. Provides Default and CA Specific Validation Settings. Extensive customization of validation settings (including failover) for each CA Certificate, using OCSP, SCVP, or Various CRL Formats. DV Administrator has ability to configure custom to override status checking for any CA Certificate. Can configure how to treat conditions such as connection attempts that fail and/or OCSP UNKNOWN Status Responses. Ability to send OCSP Requests with or without Ability to enforce NONCE in OCSP Responses when required. Can be configured to ignore the NONCE when not required. Custom CRON based Scheduler to fetch CRLs as needed. Can retrieve CRL s from any location- File System, FTP, HTTP, or LDAP Servers. 2/5
Additional CRL Formats Supported DISK Cache Supports CA Issued CRLs. Automatically stores CRL s & OCSP Status to DISK Cache for the published life of the status. Can utilize HTTP Response Headers for Pre- Fetch e-tag and Cache- Control:max-age, if available to shorten lifespans. Supports CA Issued and VA Issued CRLS, including CompactCRLs for low bandwidth environments. Individual Controls for CRL and OCSP Caching. Simple control to use published or custom time periods for CRLs and OCSP Cache lifespans. Ability to create custom schedule for CRL downloads. Deletion Cache of MEMORY Cache Deletion Cache of Certificate Status Notification PopUps for Users. Logging Custom Settings Deployment Proxy Certutil command must be manually run to delete disk cache on a system (for each logged in user). Delete commands will be ignored for any Items that are still resident in the Memory Cache. No Retention. Items are stored in memory only for the duration of the process that required the OCSP or CRL Status. Certutil command must be manually run to delete any hung memory cache on a system (for each logged in user). Very Minimal, based on Application. Windows Event Log can be enabled to record CAPI events. Validation process info is contained within numerous cryptic entries based on Application. Utilizes Default Windows Proxy Would only need to update AIA an CRLdp via Group Policy Object on Windows Server. Enforcement has to be tracked separately Simple GUI based Button for CRL and OCSP Disk Cache Deletion. Full control over retention period used for Memory Cache of CRLs and OCSP Status. Also includes Memory Size control to limit cache size. Simple GUI based Button for Memory Cache Deletion. Ability to turn on 9 unique alerts informing user of certificate status and customize frequency of notification. MS Applications will still provide status. Concise, consolidated log entries for each Request/Response in Windows Event Log. Can also provide separate debug logging to unique text file. Can use Default Windows Proxy or custom Proxy Settings. DoD and Federal Civilian Agencies have been deploying our Desktop Validator Standard and Enterprise for over ten years, and are very familiar with pushing down updates with flexible rules to be defined for Certificate Validation, and tightly integrate with the Responder and Repeater Servers for 3/5
Never worry about using stale responses Microsoft documentation states that their internal OCSP cache implementation follows the standard RFC 5019.1 The standard allows headers in HTTP responses that provide direction to caches regarding whether and how long to cache the response. Using the cache control information, the clients can cache and reuse the responses for the specified period of time, thereby avoiding the risk of reusing stale responses. automatic configuration. DV provides robust fail-over support with multiple sources of revocation information and can be installed, configured, and maintained using typical 3 rd party software deployment tools. Validating DOD CAC and Federal Civilian Agencies PIV, as wells as PIV-I and other PKI implementations using different policies and different profiles which provides a lot of flexibility for performing your validation requirements. You can easily customize Desktop Validator settings to get most up to date information for CRL, OCSP, and SCVP so that you are never using stale responses and when certificates are revoked you can have instantaneous action for denying access. This can include requiring an OCSP or SCVP nonce signed request response and or ensuring you have different OCSP and SCVP Responders and Repeaters to provide real time status checking and validation. 3. Comparison Server Feature Microsoft Windows Server Axway Validation Authority Server HSM Integration DOD CRL Integration Depends on Windows HSM Integration and Driver Setup. Customers reported they had to go through 20-30 pages documentation. A Microsoft engineer's blog offers a complex script to help get the DOD CRL info, but it's not officially supported and very difficult to implement and get working. https://blogs.technet.microsoft.com/askpfe plat/2014/01/07/microsoft-pki-ocspresponder-now-jitc-certified-and-lab-setupguide/ GUI Based out of the Box Integration with major HSM Vendors like Thales, Safenet, ACP and others. Easy GUI based Setup 4/5
5/5