 |
|
|
Certificate support: |
|
|
Format(s) supported |
X.509v3 |
|
Extensions allowed? Standard/private
|
Almost all extensions supported Custom extensions also supported |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or “no limit”
|
Yes – no limit |
|
Can certificates be customised? Method?
|
Yes – via a policy set up using the GUI policy editor |
|
Revocation methods: |
|
|
CRL?
|
Yes |
|
OCSP?
|
Yes |
|
CRT (Certificate Revocation Trees)?
|
Via third party product e.g. Valicert VA that supports CRT |
|
CRL Distribution Points?
|
Yes |
|
Scalability: |
|
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc)
|
CA, RA, CAO, RAO, Gateway etc – all separate modules that can be co-located or can be run on separate systems |
|
Installation options
|
NT via install shield – CA module also available on Unix (Sun Solaris 2.6) |
|
Capacity Max no. of certificates per CA
|
No limitations on the number of certificates handled by a CA |
|
Security: |
|
|
Communications to client
|
Various – PKCS#10/7, PKCS#12 |
|
Communications between CA/RA
|
PKIX messaging (all signed) |
|
CA/RA protection (tokens. Passwords, ACL’s, etc.)
|
CA and RA can use software or hardware security modules, with associated access controls. Can split PSE across multiple smartcards – CAO and RAO can use smartcards. |
|
Hardware protection of CA root keys? Specify Yes/No and method
|
Yes – via any of the following modules (method is specific to the module). Luna 2, CA and CA3 (including m of n activation), nCipher, Baltimore Technologies HSP4000 and the Racal RG722 |
|
PKI topologies: |
|
|
Cross certification methods allowed
|
Via PKIX CMP, PKCS#10/7 and certificate based |
|
If hierarchies are allowed: |
|
|
What depth?
|
Any depth – no limitations |
|
At what levels can CA’s be cross-certified?
|
Any level |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance?
|
Hierarchy can be added to at any time |
|
Multiple CA/RA allowed? Specify Yes/No and the limit
|
Yes – any depth of hierarchy of CAs with unlimited CAs per level. Max of 255 (on NT) RAs per CA – unlimited RAOs per RA. |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
|
|
Face to face
|
Yes – out of box |
|
Bulk/automated
|
Yes – out of box – and customisable |
|
Web
|
Yes – out of box |
|
|
Yes – out of box |
|
PN
|
Yes – out of box |
|
Other (specify)
|
Customisable via Advanced Registration Module |
|
Device certification direct to CA or requires admin intervention?
|
Admin intervention |
|
Can RA interface be customised easily? Method?
|
Yes – via policies for registration details – and via Advanced Registration Module (ARM) for custom methods |
|
Tool kits available?
|
Yes - high-level PKI-enabling; protocol- & application- specific (SSL, S/MIME, XML, WAP) and low-level cryptographic-enabling. Available in C or Java. |
|
Directory support: |
|
|
Own directory only or third party? Which third party directories?
|
Third party – any via LDAP or DAP – including Isocor, Netscape etc. |
|
Own directory provided out of the box?
|
No – third party directories are sold by Baltimore |
|
Can new objects be created on the fly by the PKI?
|
Yes |
|
Smart card/token support: |
|
|
Which devices/standards?
|
Via PKCS#11 – e.g. Datacard 320/310, Gemplus, Luna tokens |
|
Client protection?
|
Specific to device , but normally pin/pass phrase |
|
CA Administrator protection?
|
Software / smartcard / token |
|
RA Administrator protection?
|
Software / smartcard / token |
|
Key management: |
|
|
Automatic key update?
|
Not for CA - will be supported in future |
|
Automatic key histories?
|
No |
|
Key backup and recovery?
|
Yes - via archive server |
|
Management interface: |
|
|
CA Administration – GUI/command line
|
GUI |
|
Logging/reporting Built-in reporting or third party?
|
Via Oracle tools |
|
Policy-based management? |
Yes |
|
Multiple CA administrators?
|
Yes |
|
Multiple RA administrators?
|
Yes |
|
Can different administrators be assigned different tasks?
|
es – CA operators can have separation of roles RAO operators can only use policies they have been allocated |
|
Interoperability: |
|
|
Standards supported:
|
PKIX, PKCS#10, PKCS#7, PKCS#12
|
|
CA
|
PKIX messaging, RSA, DSA, ECDSA etc, devices via PKCS#11 |
|
RA
|
PKIX messaging, RSA, DSA, ECDSA etc, devices via PKCS#11 |
|
Crypto hardware
|
PKCS#11 |
|
Directories
|
LDAP, DAP |
|
Certificate protocols
|
X.509v3 |
|
Others
|
See chart below |
|
Third Party Application Support |
|
|
Specify key partners or applications that support your PKI products
|
Wide range – directories, hardware devices, smartcards as above, Valicert, Cisco CEP and a wide of other 3rd party applications. Baltimore’s interoperability alliance, PKI World (www.pkiworld.com) currently covers the following companies and sectors: VPN - Checkpoint, TrustWorks, Data Fellows, KyberPASS, RadGuard, TimeStepAccess Control - Axent, Dascom, enCommerce, Gradient, NetegritySecure E-Commerce - Celo Communications, LockStar, PCSL, SHYM Technology, Thawte, ValiCertSmartcards & Hardware - ActivCard, Authentic8, Chrysalis-ITS, Datakey, Gemplus, nCipher, SetecDirectories - Control Data, Isocor, MessagingDirect, Netscape, PeerLogicSecure Messaging - Content Technologies, Worldtalk
|
|
Is this support via generic methods or proprietary tool kits?
|
Generic / standards methods – Not proprietary toolkits |
|
Other notable points/USP’s: |
|
|
Please provide any additional information which may be pertinent
|
Policy based – very scaleable – flexibility – control – choice
|
Click here to return to the Review
Send mail to webmaster
with questions or
|