Sixscape’s products are based on our Identity Registration Protocol (IRP), which was issued port 4604 by IANA. IRP does not involve browsers or web servers, or HTTP in any way. It is designed for embedding in client applications and devices to simplify and automate certificate management and to make it more secure than is possible with web based certificate management.
A typical request proceeds as follows (no browsers are used):
-
- generate public/private keypair, using RSA or ECC asymmetric key cryptography. The private key is stored in a local database encrypted using a key derived from a passphrase.
- connect securely to an IRP server using a userId and either password or client digital certificate (“Strong Client Authentication”), and request or update the subject distinguished name (subjectDN) information for the user (e.g. for client cert, the user’s Name, Email Address, Organization, Organizational Unit, City, State, Country, etc). This information can be reviewed and pre-approved by the CA for immediate certificate issue. It can also be created from a database by the applicant’s organization.
- Build a PKCS10 Certificate Signing Request from the public key and subject DN and submit it to the CA for signing.
- Retrieve the signed certificate
- Reassociate the certificate with the private key (requires knowledge of the passphrase it was stored with), and store the resulting key material (cert and private key) in the local certificate store and optionally also in a PKCS12 file (which is encrypted with a key derived from a passphrase, etc.
- You can also upload your PKCS12 file for future retrieval and installation (to replace lost key material or to install the same key material on another node)
- For private hierarchy certs you can download the root and intermediate cert to install on the client node or device.
You can also use IRP to request and download certs on an Android or iOS mobile device, with the private key stored in the keychain with biometric access control.
We can provide SDKs for implementation of IRP, keypair generation, PKCS10 creation and so forth, as well as keeping the key material in the local certificate database (Windows) or keychain (mobile devices) on various platforms. The crypto and PKI operations can be done with OpenSSL, SecureBlackBox, Bouncy Castle, or various other crypto libraries.
Client certificates can be used for Strong Client Authentication in online protocols, including any TLS secured service that supports SCA, for S/MIME secure E-mail, PeerTLS, etc.
Server certificates can be used to enable SSL/TLS on any server application, as well as providing server to client authentication.
Several major CAs now support IRP, including GlobalSign and Entrust Datacard. We are working on additional CAs now. We also support EJBCA and PKI-in-a-Box with IRP. We can add IRP support to virtually any CA. We can license IRP for use in your applications. We will be glad to arrange for purchase of certificates from any of our CA partners via IRP.
One way to view IRP is as a kind of “ODBC” for certificate management. Every CA has its own proprietary API (usually web based) to allow applications or devices request and retrieve certificates. They often have different functionality. With databases, ODBC allows you to write an application to one API, which can be connected to any proprietary database server’s API. In the same way, you can create a secure application using IRP and connect it to any CA without changes.
Most customers will use IRP as part of our other products but if you create software applications or hardware devices we will be glad to help you integrate it into your products as well.