 |
|
BT TrustWise OnSite 4.5 Features Checklist
|
Certificate support: |
� |
|
Format(s) supported |
PKIX X509v3� |
|
Extensions allowed?� Standard/private |
Yes Both |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or “no limit” |
There is no technical constraint
on the number of certificates per user. With the introduction of per-seat
pricing, OnSite single application customers are limited to one
certificate (two if dual key pairs are used) per user. ‘Full’ OnSite
customers will have no limitation. |
|
Can certificates be customised?� Method? |
TrustWise provides significant
customisation of certificates through an easy to use point and click
interface, and complete customisation can be provided on an individual
customer basis.� |
|
Revocation methods: |
� |
|
CRL? |
OnSite provides a CRL via LDIFv3
Files |
|
OCSP? |
TrustWise doesn’t currently support OCSP in UK, but it can be provided through our technology partner, VeriSign, from the US.� |
|
CRT (Certificate Revocation Trees)? |
Not supported.�� |
|
CRL Distribution Points? |
Supported |
|
Scalability: |
� |
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc) |
TrustWise is a managed service with CA hosted in secure facility in TrustWise Operations Centre and RA function on separate machine(s) on customer premises. |
|
Installation options � |
N/A |
|
Capacity Max no. of certificates per CA |
No constraint on the number of certificates per CA |
|
Security: |
� |
|
Communications to client |
Via PIN pick-up or Email dependent on certificate type. |
|
Communications between CA/RA |
Secured Transaction. |
|
CA/RA protection (tokens. Passwords, ACL’s, etc.) |
Role Based Tokens (SmartCards). |
|
Hardware protection of CA root keys?� Specify Yes/No and method |
Yes via LUNA II CA using M*N shares. |
|
PKI topologies: |
� |
|
Cross certification methods allowed� |
Hierarchical PKI supported today.�
This is also the only type of PKI topology supported by existing
commercial applications today. |
|
If hierarchies are allowed: |
� |
|
What depth?� |
There is no limit on the depth
supported. However, some applications impose their own limits.� |
|
At what levels can CA’s be cross-certified? |
Not available |
|
Is it possible to join a hierarchy after installation to
support mergers, acquisitions, or joining a trust alliance? |
Yes, but already issued certs will need to be replaced, as there is no way with current commercial software to retroactively add trust relationships to certificates. |
|
Multiple CA/RA allowed?� Specify Yes/No and the limit |
Yes.� No limitations |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
� |
|
Face to face |
Yes (out of box) |
|
Bulk/automated |
Yes (out of box) |
|
Web |
Yes (out of box) |
|
E-mail |
Yes (out of box) |
|
VPN |
Yes (out of box) |
|
Other (specify) |
� |
|
Device certification direct to CA or requires admin
intervention? |
Both can be supported |
|
Can RA interface be customised easily? Method? |
Yes Using� automated administration module, which provides full APIs
for RA functionality. |
|
Tool kits available? |
Certification Validation Module,
Certificate Parsing Tool, Directory Integration Module |
|
Directory support: |
� |
|
Own directory only or third party? Which third party directories? |
Own, &� via Directory Integration Module into any LDIF v3 compatible directory� |
|
Own directory provided out of the box? |
Yes |
|
Can new objects be created on the fly by the
PKI? |
Yes |
|
Smart card/token support: |
� |
|
Which devices/standards? � |
International Standards� ISO 7816-1/2/3 compliant� PKCS compliant� PC/SC Workgroup Specifications compliant� X.509 certificate compliant |
|
Client protection? |
SmartCard protection is a possible option |
|
CA Administrator protection? |
SmartCard |
|
RA Administrator protection? |
SmartCard |
|
Key management: |
� |
|
Automatic key update? |
No |
|
Automatic key histories? |
No |
|
Key backup and recovery? |
Yes, provided by Key Manager option |
|
Management interface: |
� |
|
CA Administration – GUI/command line |
Web based. |
|
Logging/reporting Built-in reporting or third party? |
Built in Reporting available |
|
Policy-based management? |
Yes |
|
Multiple CA administrators? |
Yes |
|
Multiple RA administrators? |
Yes |
|
Can different administrators be assigned different tasks? |
Yes |
|
Interoperability: |
� |
|
Standards supported: |
� |
|
CA |
X.509V3 |
|
RA |
X.509V3 |
|
Crypto hardware |
FIPS 140- Level 2� |
|
Directories |
LDAP |
|
Certificate protocols |
X509, S/MIME, SSL, IPSec |
|
Others |
� |
|
Third Party Application Support |
� |
|
Specify key partners or applications that support your PKI products |
The VeriSign Trust Network root keys are embedded in many
products including some from Microsoft and Netscape.�
A current list of partners can be found at�
http://www.verisign.com/partners/list.html |
|
Is this support via generic
methods or proprietary tool kits? |
Dictated by the product vendor |
|
Other notable points/USP’s: |
� |
|
Please provide any additional information which may be pertinent |
OnSite is a managed PKI service, which operates on standard hardware/software platforms. Customers can therefore deploy services quickly with minimum set up costs. Customer also benefits from an industrial strength operation, without the need to provide their own services and security infrastructure.� Customer can� select either private hierarchy (not bound by the VeriSign CPS) or issue certificates under the VeriSign Trust Network |
Click here to return to the Review
Send mail to [email protected] with
|