 |
|
RSA Keon 5.7 Features Checklist
|
Certificate support: |
|
|
Format(s) supported
|
X509 V3 + 1 |
|
Extensions allowed? Standard/private
|
Yes, User definable. |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or �no limit�
|
The RSA Keon Certificate Authority supports up-to two keys (one for signing, the other for encryption) per user. The RSA Keon Advanced PKI (including RSA Keon WebPassport), allows an unlimited number of certificate replacements. |
|
Can certificates be customised? Method?
|
Yes, via the Keon Certificate Authority or Keon Registration Authority. These functions are provided under through the administration console pages. |
|
Revocation methods: |
|
|
CRL?
|
Yes |
|
OCSP?
|
Yes |
|
CRT (Certificate Revocation Trees)?
|
No |
|
CRL Distribution Points?
|
Yes |
|
Scalability: |
|
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc)
|
The CA and RA software can be installed on the same machine, however in practice, load balancing and resilience dictates that these be separate. Independently tested to 8,000,000 certificates |
|
Installation options
|
Modular approach to installation enabling distribution of CA/RA across multiple geographic locations. |
|
Capacity Max no. of certificates per CA
|
Theoretically unlimited. Independently tested up to 8,000,000 certificates. |
|
Security: |
|
|
Communications to client
|
SSL |
|
Communications between CA/RA
|
SSL |
|
CA/RA protection (tokens. Passwords, ACL�s, etc.)
|
CA
root keys can be protected by an HSM (nCipher or Chrysalis).
CA and RA administrators require certificates issued by the
appropriate admin CA in order to access the admin consoles. The
appropriate smartcard set must also be used with the HSM for certain
functions. |
|
Hardware protection of CA root keys? Specify Yes/No and method
|
Yes, HSM. Smartcard sets used to control HSM and related CA functions (k of n). HSM is also used for the key recovery. |
|
PKI topologies: |
|
|
Cross certification methods allowed
|
IETF/PKIX cross-certification via PKCS#7 and PKCS#10. Cross-validation for non-static trust relationships |
|
If hierarchies are allowed: |
|
|
What depth?
|
Unlimited |
|
At what levels can CA�s be cross-certified?
|
Any |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance?
|
Yes |
|
Multiple CA/RA allowed? Specify Yes/No and the limit
|
Yes. Theoretically unlimited. |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
|
|
Face to face
|
Yes |
|
Bulk/automated
|
Yes. Automated via Keon OneStep. Bulk via programming/scripting languages. |
|
Web
|
Yes |
|
|
Yes |
|
VPN
|
Yes |
|
Other (specify)
|
|
|
Device certification direct to CA or requires admin intervention?
|
Direct to CA/RA via SCEP. By default a cert request must be vetted, but this can be automated. |
|
Can RA interface be customised easily? Method?
|
Yes, via HTML pages and scripts. |
|
Tool kits available?
|
Yes. |
|
Directory support: |
|
|
Own directory only or third party? Which third party directories?
|
CA/RA can publish to any LDAP based directory. Keon WebPassport currently supports Netscape iPlanet directory. |
|
Own directory provided out of the box?
|
Not with basic CA. Keon WebPassport ships with Netscape iPlanet. |
|
Can new objects be created on the fly by the PKI?
|
Yes, the user and OU object can be created automatically; certificates and CRL�s can also be automatically published to the directory. |
Smart card/token support: |
|
|
Which devices/standards?
|
RSA SecurID token is supported via a Virtual Smartcard. RSA Keon support the PC/SC and PKCS#11 standards |
|
Client protection?
|
Yes, any of the above |
|
CA Administrator protection?
|
Admin certificate, protected by any method above. |
|
RA Administrator protection?
|
Admin certificate, protected by any method above. |
|
Key management: |
|
|
Automatic key update?
|
Not in current version (will be in Keon Advanced PKI version 6.0 - scheduled 2002) |
|
Automatic key histories?
|
Not in version tested (will be in Keon Advanced PKI (Keon Desktop) version 5.6 - scheduled Q4 2001) |
|
Key backup and recovery?
|
CA has optional Key Recovery Module which makes use of HSM. |
|
Management interface: |
|
|
CA Administration � GUI/command line
|
Web browser |
|
Logging/reporting Built-in reporting or third party?
|
Built in logging in the form of digitally signed XML logs. |
|
Policy-based management?
|
Yes |
|
Multiple CA administrators?
|
Yes |
|
Multiple RA administrators?
|
Yes |
|
Can different administrators be assigned different tasks?
|
Yes |
|
Interoperability: |
|
|
Standards supported:
|
|
|
CA
|
X509V3 + 1, IPSEC, PKIX, SSL-LDAP, HTTPS, OCSP, SCEP, cross-certification, PKCS#7, 10, 11 & 12 |
|
RA
|
X509V3 + 1, IPSEC, PKIX, SSL-LDAP, HTTPS, SCEP, PKCS#7, 10, 11 & 12 |
|
Crypto hardware
|
Ncipher (nSafe and nShield), Chrysalis, PKCS#11 |
|
Directories
|
LDAP + SSL-LDAP |
|
Certificate protocols
|
X509V3 + 1, SCEP |
|
Others
|
PC/SC PKCS#11 PKCS#12 MS_CryptoAPI SSL SMIME |
|
Third Party Application Support |
|
|
Specify key partners or applications that support your PKI products
|
Microsoft Exchange, Outlook, Internet Explorer, IIS Web Server Netscape Fastrack, Communicator, Messager, LDAP Server. Checkpoint VPN |
|
Is this support via generic methods or proprietary tool kits?
|
Generic via open standards support. These products use RSA�s open standards based Crypto. |
|
Other notable points/USP�s: |
|
|
Please provide any additional information which may be pertinent
|
Keon Certificate Authority provides real-time status checking of certificates. Keon WebPassport provides the credential mobility and security of a smartcard without the need for a smartcard reader. |
Click here to return to the Review
Send mail to webmaster
with questions or
|