This part of our series on PKI security in large scale web applications examines the limits of traditional Off-the-Shelf PKI-validation solutions.
Per Joint Task Force Global Network Operations (JTF-GNO), the #1 method of attack on the DoD information network is compromised user IDs and passwords. Homeland Security Presidential Directive (HSPD 1) — implemented in the wake of September 11, 2001 — mandates a federal standard for secure and reliable forms of identification.
Validating a user’s identity is at the heart of PKI’s effectiveness. Certificate-validation software is currently available off-the-shelf from a variety of private companies. These products typically employ a desktop application that transmits HTTP requests to corresponding certificate-status servers whenever a smart card (or other public key) is presented. The server verifies the smart card’s digital certificate against a Certificate Revocation List (CRL)—provided by a principal Certifying Authority—and determines whether the user’s access is granted or denied.
Within a PKI, it is particularly important to ensure certificate validation is performed efficiently to minimize impact to users, networks, and system applications. And while standard off-the-shelf products have proven effective when deployed to smaller systems with relatively limited user volume, larger, more sophisticated systems typically require a more robust solution.
Many large-scale, high-volume systems use sophisticated load-balanced and clustered architectures that deploy applications redundantly across multiple nodes—optimizing availability and failover, while operating as a single virtual machine.
Traditional COTS products, however, require a one-to-one connection between the local application and the externally-hosted CRLs, which load-balanced architectures prevent. As a result, traditional COTS solutions cannot be properly configured for most large-scale systems without negatively impacting availability and performance. While sufficient for small systems and applications, these COTS solutions are not well suited for the high volume demands of large-scale web applications.
The next installment will examine how the Partnet eValidate software package is an ideal PKI security solution for high-volume, large scale systems.