EzCert: EzIdentity Offering for PKI (Roaming and Conventional Approaches)

EzIdentity offers an unique platform that brings One Time Password Tokens as well as Digital Certificate (PKI) under one platform. It is the only platform that offers Public Key Infrastructure in two forms -

• Roaming PKI (new way of doing things)
  
• Conventional PKI (the proven approach)
  

Our third layer that enforces non repudiation is called EzCert. This layer can be used with/without OTP authentication too if conventional PKI is needed. It brings regulation compliance in de facto and most cost effective manner.

Following part of this post covers how EzIdentity platform offers PKI options. The market need is demanding roaming PKI where the user does not need to carry Digital Certificate with him, he uses strong authentication to establish authenticity *(and servers performs crypto operations on behalf of user).


EzIdentity interfacing with any Certificate Authority like Verisign, Thwate (or any national CA) is straight forward. There can be dedicated or non-dedicated connection to the CA infrastructure. EzIdentity interfaces over Secure HTTP Or Secure Web Services with the CA for the following operations to manage the lifecycle of the certificates.


There are two options for enterprise or bank to go ahead with PKI. Roaming or Conventional. Lets look at them both respectively in terms of the work flow.

1. Roaming PKI Approach -

the work flow will be -

• Step 1: The customer PFX is secured archived with EzIdentity and is issued a Security 2FA Token (hardware Or Software). Calling Application does not have any access to Token Secrets Or PFX.
• Step 2: User logs into Application with Strong 2FA Authentication. Customer goes to transaction flow and wishes to sign the transaction.
• Step 3: Application will ask for Strong Authentication again at transaction confirmation. If customer has Challenge Response Token then user can create MAC on his token otherwise normal OTP.
• Step 4: Application will call EzIdentity to sign on behalf of user the “To be Signed Data” and Signature OTP. If OTP validation is successful then EzIdentity will sign transaction using user’s PFX.
  

2. Conventional PKI Approach -


the work flow will be -

• Step 1: The customer carries his PFX on the token or flash drive. The PIN is already sent via SMS and person remembers or store it.
• Step 2: User logs into Application with PKI based authentication. Customer goes to transaction (TX) flow and wishes to sign the transaction.
• Step 3: Application will promote user to select Certificate from Token Or Flash Drive, Enter the PIN and perform digital signing. The signed data and PKCS signature is posted.
• Step 4: Application will call EzIdentity with signed data and PCS signature to validate the certificate and verify the signature. If both are success then EzIdentity returns success to application.
  

EzIdentity gives an extremely cost effective solution when it comes to unified platform for OTP as well as Digital Signatures. This is the uniqueness that benefits to the enterprises in terms of platform management, support, training and roll-out.

Next Steps

• Click here to Request a call
• Email me at vikram@ezmcom.com
  
• Visit us at www.ezmcom.com for more information