PKI and Federated Identity Management Enabling Tools

Over the years, Carillon experts have produced a number of applications and libraries that can be helpful when setting up Public Key Infrastructures and Federated Identity Management solutions. Those were not written with publication and commercialisation in mind, but simply to make our lives easier by automating some recurrent tasks and implementing certain RFC features.

Since we found them useful and thought they could benefit others too, we have decided to make those tools available to all as free, open-sourced software, released under the GNU LGPLv2.

While Carillon provides no guarantees with regard to the distributed code, we can provide our customers with complete technical support and modification services.

• Carillon STS - Secure Token Service
  The Carillon STS is a PHP-based Federated Identity Provider (IdP) which is capable of acting as a Secure Token Service compatible with Windows CardSpace and other "infocard" implementations. It has been successfully tested with CardSpace, as well as with Chuck Mortimore's Firefox identity selector plugin.
  
• Pathfinder - X.509 Certificate Validation Daemon
  Pathfinder is a Linux daemon that provides centralized X.509 certificate validation. It is fully RFC3280 compliant, and can process complex trust models, such as bridging and multiple bridge traversal.
  
• Pathfinder for Apache - Client Certificate Validation
  This patch allows the Apache web server to use Pathfinder for verification of client certificates.
  
• Pathfinder for FreeRADIUS - Client Certificate Validation
  This patch allows the FreeRADIUS server to use Pathfinder for verification of client X.509 certificates during authentication requests.
  
• Pathfinder for Stunnel - Certificate Validation
  This patch allows the Stunnel 4.23 Universal SSL Wrapper to use Pathfinder for verification of X.509 certificates presented by a remote client or server. This makes it even easier to add proper certificate validity checking to applications and servers that may not even already be SSL-aware.
  
• Pathfinder for OpenLDAP - Certificate Validation
  This patch allows the OpenLDAP server to use Pathfinder both for verification of client certificates (for LDAPS) and for verification of certificates fetched by the LDAP Proxy backend.
  
• LDAP Proxy Redux - X.509 personal certificate retrieval through LDAP
  These patches contain updates to Boeing's LDAP proxy, rendering it compatible with recent versions of OpenLDAP.
  

Carillon also provides test-level X.509 certificates compliant with the certificate profiles of various aerospace and air transport entities. Please note, however, that while they are technologically identical to production-grade certificates, the Certificte Authority used for their creation has not been audited and is not guaranteed to be secure.

• DSWG-compliant test certificate - Individual
  These can be used by individual people wishing to exchange information with other individuals, or to digitally sign any document or instrument, or to prove their identity for any purpose. Please contact us to obtain the specific certificate generation and retrieval instructions. The following certificates are available, in standard or Elliptic Curve encryption versions:
  • Low Assurance (old Class II) Individual Certificate
  • Medium Assurance (old Class III) Individual Certificate (software)
  • Medium Assurance (old Class III) Individual Certificate (hardware)
  • High Assurance (old Class IV) Individual Certificate
  
  
• CertiPath-compliant test certificate
  Carillon is able to offer non-cross-certified CertiPath-compliant test certificates, in standard or Elliptic Curve encryption versions. Please contact us for more details.