 |
|
|
Certificate support: |
� |
|
Format(s) supported |
X.509v3 |
|
Extensions allowed?� Standard/private � |
Almost all extensions supported Custom extensions also supported |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or “no limit”� � |
Yes – no limit |
|
Can certificates be customised?� Method? � |
Yes – via a policy set up using the GUI policy editor |
|
Revocation methods: |
� |
|
CRL? � |
Yes |
|
OCSP? � |
Yes |
|
CRT (Certificate Revocation Trees)? � |
Via third party product e.g. Valicert VA that supports CRT |
|
CRL Distribution Points? � |
Yes |
|
Scalability: |
� |
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc) � |
CA, RA, CAO, RAO, Gateway etc – all separate modules that can be co-located or can be run on separate systems |
|
Installation options � |
NT via install shield – CA module also available on Unix (Sun Solaris 2.6) |
|
Capacity Max no. of certificates per CA � |
No limitations on the number of certificates handled by a CA |
|
Security: |
� |
|
Communications to client � |
Various – PKCS#10/7, PKCS#12 |
|
Communications between CA/RA � |
PKIX messaging (all signed) |
|
CA/RA protection (tokens. Passwords, ACL’s, etc.) � |
CA and RA can use software or hardware security modules, with associated access controls. Can split PSE across multiple smartcards – CAO and RAO can use smartcards.� |
|
Hardware protection of CA root keys?� Specify Yes/No and method � |
Yes – via any of the following modules (method is specific to the module). Luna 2, CA and CA3 (including m of n activation), nCipher, Baltimore Technologies HSP4000 and the Racal RG722 |
|
PKI topologies: |
� |
|
Cross certification methods allowed � |
Via PKIX CMP, PKCS#10/7 and certificate based |
|
If hierarchies are allowed: |
� |
|
What depth?� � |
Any depth – no limitations |
|
At what levels can CA’s be cross-certified? � |
Any level |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance? � |
Hierarchy can be added to at any time |
|
Multiple CA/RA allowed?� Specify Yes/No and the limit � |
Yes – any depth of hierarchy of CAs with unlimited CAs per level. Max of 255 (on NT) RAs per CA – unlimited RAOs per RA. |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
� |
|
Face to face � |
Yes – out of box |
|
Bulk/automated � |
Yes – out of box – and customisable |
|
Web � |
Yes – out of box |
|
� |
Yes – out of box |
|
PN � |
Yes – out of box |
|
Other (specify) � |
Customisable via Advanced Registration Module |
|
Device certification direct to CA or requires admin intervention? � |
Admin intervention |
|
Can RA interface be customised easily? Method? � |
Yes – via policies for registration details – and via Advanced Registration Module (ARM) for custom methods |
|
Tool kits available? � |
Yes - high-level PKI-enabling; protocol- & application- specific (SSL, S/MIME, XML, WAP) and low-level cryptographic-enabling. Available in C or Java. |
|
Directory support: |
� |
|
Own directory only or third party? Which third party directories? � |
Third party – any via LDAP or DAP – including Isocor, Netscape etc. |
|
Own directory provided out of the box? � |
No – third party directories are sold by Baltimore |
|
Can new objects be created on the fly by the PKI? � |
Yes |
|
Smart card/token support: |
� |
|
Which devices/standards? � |
Via PKCS#11 – e.g. Datacard 320/310, Gemplus, Luna tokens |
|
Client protection? � |
Specific to device , but normally pin/pass phrase |
|
CA Administrator protection? � |
Software / smartcard / token |
|
RA Administrator protection? � |
Software / smartcard / token |
|
Key management: |
� |
|
Automatic key update? � |
Not for CA - will be supported in future |
|
Automatic key histories? � |
No |
|
Key backup and recovery? � |
Yes - via archive server |
|
Management interface: |
� |
|
CA Administration – GUI/command line � |
GUI |
|
Logging/reporting Built-in reporting or third party? � |
Via Oracle tools |
|
Policy-based management?� |
Yes |
|
Multiple CA administrators? � |
Yes |
|
Multiple RA administrators? � |
Yes |
|
Can different administrators be assigned different tasks? � |
es – CA operators can have separation of roles RAO operators can only use policies they have been allocated |
|
Interoperability: |
� |
|
Standards supported: � |
PKIX, PKCS#10, PKCS#7, PKCS#12 � |
|
CA � |
PKIX messaging, RSA, DSA, ECDSA etc, devices via PKCS#11 |
|
RA � |
PKIX messaging, RSA, DSA, ECDSA etc, devices via PKCS#11 |
|
Crypto hardware � |
PKCS#11 |
|
Directories � |
LDAP, DAP |
|
Certificate protocols � |
X.509v3 |
|
Others � |
See chart below |
|
Third Party Application Support |
� |
|
Specify key partners or applications that support your PKI products � |
Wide range – directories, hardware devices, smartcards as above, Valicert, Cisco CEP and a wide of other 3rd party applications.� Baltimore’s interoperability alliance, PKI World (www.pkiworld.com) currently covers the following companies and sectors: VPN - Checkpoint, TrustWorks, Data Fellows, KyberPASS, RadGuard, TimeStepAccess Control - Axent, Dascom, enCommerce, Gradient, NetegritySecure E-Commerce - Celo Communications, LockStar, PCSL, SHYM Technology, Thawte, ValiCertSmartcards & Hardware - ActivCard, Authentic8, Chrysalis-ITS, Datakey, Gemplus, nCipher, SetecDirectories - Control Data, Isocor, MessagingDirect, Netscape, PeerLogicSecure Messaging - Content Technologies, Worldtalk� |
|
Is this support via generic methods or proprietary tool kits? � |
Generic / standards methods – Not proprietary toolkits |
|
Other notable points/USP’s: |
� |
|
Please provide any additional information which may be pertinent � |
Policy based – very scaleable – flexibility – control – choice � |
Click here to return to the Review
Send mail to webmaster
with questions or�
|