If you’re looking for a quick and easy way to allow web applications to use your PIV cards and allow more thin-client solutions be HSPD-12 compliant, check out the Public Key Infrastructure Framework (PKIF) and WebCullis projects.

What’s slick about WebCullis is that it’s an IIS- and Apache-compatible web module that makes most of the process transparent. Here’s what the developers say about the projects, verbatim from their website:

PKIF provides a variety of capabilities useful in enabling applications, including:

• Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments.
• RFC 5280-compliant path validation.
• Supports RFC 3852 (Cryptographic Message Syntax).
• Supports RFC 3161 (Timestamp protocol).
• New Supports RFC 5055 (SCVP) and RFC 4998 (ERS) along with RFC 5276 (SCVP/ERS wantBacks)
• wxWidgets-based cross-platform GUI controls.
• Enabling applications is simple.
• Multiple certificate sources are supported, including LDAP-accessible directories, web servers, CAPI certificate stores, NSS certificate stores and other application-specified sources.
• Can retrieve revocation information from local stores, application-specified sources (such as an LDAP directory) and follow CRL distribution points.
• Can use OCSP responders specified in AIA extensions.
• One or more trusted OCSP responder(s) may be configured for path validation.
• Configurable to make the most of your infrastructure.
• Configurations can be created centrally and pushed out using your existing management tools.
• Much more. See the online developer’s reference for details.

Webcullis provides a simple, secure and flexible solution for integrating your PKI and your web aplications. Webcullis Feature:

• Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments.
• RFC 3280-compliant path validation
• Cached validations to reduce server load for multiple requests
• Simple configuration syntax
• Access restrictions may be based on: Name constraints, Key Size, Extended Key Usage, Policy Constraints or Quality of revocation information
• Allows the use of one or more LDAP directories for path building
• One or more trusted OCSP responders may be configured for path validation
• Webcullis trust roots are separate from the system trust roots, enabling server-side work-arounds for client-side bugs.
• Access to resources may be controlled without configuring cumbersome mappings between certificates and system accounts on IIS.