IBM Trust Authority 3.1 Features Checklist

Certificate support:
Format(s) supported	X509 v3
Extensions allowed?  Standard/private	Yes - standard and private
Multiple keys/certificates per user? Specify Yes/No and the number allowed or “no limit”	Yes - no limit, also no additional charge for unlimited certificates per user
Can certificates be customised?  Method?	Yes - creation of certificate template allows users to request the certs.
Revocation methods:
CRL?	Yes
OCSP?	Yes, via Valicert
CRT (Certificate Revocation Trees)?	Yes, via Valicert
CRL Distribution Points?	No
Scalability:
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc)	CA/Audit Server on one machine,  RA Server on second machine, Directory on a third machine.  Each machine can be multiprocessor system on NT or UNIX.  Registrar systems run as java applications on RA applications to allow the RA to work anywhere and reduce  workload on RA Server.
Installation options	Components installed on one machine, or on separate machines as mentioned above.  Since pricing is user based, you may install as many servers as required to meet your needs.
Capacity Max no. of certificates per CA	SecureWay Directory tested with over 30 million entries.
Security:
Communications to client	128bit SSL
Communications between CA/RA	Signed messages from CA to RA using PKIX CMP protocols over TCP/IP.
CA/RA protection (tokens. Passwords, ACL’s, etc.)	Password or Smartcard authentication for RA Administrators.  Access Control Lists for administrator privileges.  Software modules signed by IBM.  KeyStores in hardware or triple DES encrypted.
Hardware protection of CA root keys?  Specify Yes/No and method	Yes, IBM 4758 Cryptographic Coprocessor on AIX, certified as FIPS 140-1 Level 4.   Yes, Smartcards for both AIX and NT.
PKI topologies:
Cross certification methods allowed	PKIX-CMP for bi-directional cross certification
If hierarchies are allowed:
What depth?	No limit
At what levels can CA’s be cross-certified?	At any level of the hierarchy
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance?	Yes, and the root key is preserved.
Multiple RA allowed per CA?  Specify Yes/No and the limit	No.
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits):
Face to face	Yes, out of the box
Bulk/automated	Yes, via toolkits
Web	Yes, out of the box
E-mail	Yes, out of the box (RA accepts email)
VPN	Yes, out of the box  (PKCS 10/7)
Other (specify)	Pre-registration via RA, user download certificate from client
Device certification direct to CA or requires admin intervention?	Admin intervention required at VPN (RA can automatically approve cert request)
Can RA interface be customised easily? Method?	Yes, customise via scripting, additional fields added to registration application via Java Server Pages (html)
Tool kits available?	Yes.  SecureWay Toolbox includes a complete CDSA compliant cryptographic toolkit and complete PKIX toolkit.
Directory support:
Own directory only or third party? Which third party directories?	Own Directory.  Also LDAP compliant, so it should interoperate with any LDAP compliant directory.
Own directory provided out of the box?	Yes, at no additional charge
Can new objects be created on the fly by the PKI?	Yes
Smartcard/token support:
Which devices/standards?	Any PKCS #11 or MS CAPI compliant card
Client protection?	Trust Authority Client can use real smartcards (via PKCS #11) or virtual smartcard
CA Administrator protection?	Operating System control only
RA Administrator protection?	Any PKCS #11 or  MS CAPI compliant card
Key management:
Automatic key update?	No.  Planned for 1Q 2000 release
Automatic key histories?	No.  Planned for 1Q 2000 release
Key backup and recovery?	No.  Planned for 1Q 2000 release
Management interface:
CA Administration – GUI/command line	Command line
Logging/reporting Built-in reporting or third party?	Minimal reporting built in.  DB2 Report Writers available from multiple third parties.
Policy-based management?	Yes, via business process framework, certificate profiles and policy exits.
Multiple CA administrators?	Yes.
Multiple RA administrators?	Yes.
Can different administrators be assigned different tasks?	Yes, for example, one administrator assigned to certificate approvals, and another to certificate revocations.
Interoperability:
Standards supported:
CA	Ÿ       X.509v3 certificates Ÿ       Certificate revocation lists (CRLv2) Ÿ       Key lengths up to 1024 bits for encryption and key exchange keys Ÿ       Key lengths up to 2048 bits for CA signing keys Ÿ       RSA algorithms for encryption and signing Ÿ       MD5 and SHA-1 hash algorithms Ÿ       PKIX CMP and CMMF via TCP/IP for communications with the Registration Authority SecureWay Directory LDAP version 3.0, with RFC 1779 syntax Ÿ       ODBC for communications to database
RA	Ÿ       Secure Sockets Layer (SSL) version 2 and version 3, with client authentication Ÿ       PKCS #10 browser and server certificate request format, with a PKCS #7 response  format or as raw, binary or Base 64 encoded certificate Ÿ       PKIX CMP certificate format, with a PKIX CMP response Ÿ       IPSec certificate format Ÿ       S/MIME certificate format Ÿ       Browser certificates for: w      Microsoft Internet Explorer versions 4.x and 5.x w      Netscape Navigator and Netscape Communicator versions 3.x and 4.x Ÿ       Server certificates for: w      Netscape Enterprise Server w      Microsoft Internet Information Server w      IBM HTTP Server w      Apache Server w      Any which requests via PKCS #10/7 standards Ÿ       Smartcard certificates (PKCS #11 interface) for: w      Trust Authority Client application w      Netscape Navigator and Netscape Communicator versions 3.x and 4.x Ÿ       LDAP standard for communications with the Directory Ÿ       PKIX CMP and  CMMF via TCP/IP for communications with the Certificate Authority Ÿ       PKIX CMP CMMF via TCP/IP for communications with the Client application Ÿ       PKCS #11 for interface to smartcard key store Ÿ       ODBC for communications to database
Crypto hardware	IBM 4758 Cryptographic Coprocessor Hardware w      FIPS 140 level 4 requirements for resistance to            physical attacks  w      Support for industry-accepted cryptography standards: w      DES for encryption/decryption w      RSA for signing/signature verification w      PKCS #1 block type 00 w      PKCS #1 block type 01 w      PKCS #1 block type 02 w      MD5 and SHA-1 hash algorithms w      X9.9 and X9.23 ANSI w      ISO 9796  Common Cryptographic Architecture (CCA) Provides services for the 4758 coprocessor, including the secure generation of RSA key pairs with modulus lengths as long as 2048 bits, and: w      SET (Secure Electronic Transaction) w      DES for encryption and decryption w      RSA for signing and signature verification w      MD5 and SHA-1 hash algorithms  Smartcards via PKCS #11 or MS CAPI interface
Directories	SecureWay Directory (LDAP)
Certificate protocols	Ÿ       X509 V3 for certificates, including: Ÿ       Standard Extensions – These are the extensions defined in RFC2459, such as key usage, private key usage period, subject alternative name, basic constraints, and name constraints. Ÿ       Common Extensions - Extensions that are unique to Trust Authority, such as host identity mapping. This extension associates the subject of a certificate with a corresponding identity on a host system. Ÿ       User Defined Extensions - Extensions that an application can use to identify an online validation service that supports the issuing CA. Ÿ       PKCS #10 browser and server certificate request format, with a PKCS #7 response  format or as raw, binary or Base 64 encoded certificate Ÿ       PKIX CMP certificate format, with a PKIX CMP response Ÿ       IPSec certificate format Ÿ       S/MIME certificate format Ÿ       Browser certificates for: w      Microsoft Internet Explorer versions 4.x and 5.x w      Netscape Navigator and Netscape Communicator versions 3.x and 4.x Ÿ       Server certificates for: w      Netscape Enterprise Server w      Microsoft Internet Information Server Ÿ       Smartcard certificates (PKCS #11 or MS CAPI compliant)
Others
Third Party Application Support
Specify key partners or applications that support your PKI products	Equifax (US) and Datakom (Austria) as Trusted Third Parties.   Over 50 ISV’s recruited for IBM PKI offerings.  Email, VPN and other applications.  Key applications include Deloitte & Touche Litigation Support System, GemPlus Smartcards, Lotus Notes/Domino, Microsoft Outlook and Exchange, Entegrity SDP, etc.
Is this support via generic methods or proprietary tool kits?	Primarily via generic methods, although some use proprietary toolkits.
Other notable points/USP’s:
Please provide any additional information which may be pertinent	First PKI Offering by any vendor based on the IETF PKIX Reference Implementation (Jonah),.which was donated to the Internet community by IBM  The PKIX Reference Implementation is available from www.mit.edu/pfl  available in English, French, German, Spanish, Italian, Brazilian Portuguese, Japanese, Korean, Traditional Chinese and Simplified Chinese

Click here to return to the Review