 |
|
IBM Trust Authority 3.1 Features Checklist
|
� |
|
|
Format(s) supported |
X509 v3 |
|
Extensions allowed?� Standard/private |
Yes - standard and private |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or “no limit” |
Yes - no limit, also no additional charge for unlimited certificates per user� |
|
Can certificates be customised?� Method? |
Yes - creation of certificate template allows users to request the certs.� |
|
Revocation methods: |
|
|
CRL? |
Yes� |
|
OCSP? |
Yes, via Valicert� |
|
CRT (Certificate Revocation Trees)? |
Yes, via Valicert� |
|
CRL Distribution Points? |
No |
|
Scalability: |
� |
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc) |
CA/Audit Server on one machine,� RA Server on second machine, Directory on a third machine.� Each machine can be multiprocessor system on NT or UNIX.� Registrar systems run as java applications on RA applications to allow the RA to work anywhere and reduce� workload on RA Server. |
|
Installation options |
Components installed on one machine, or on separate machines as mentioned above.� Since pricing is user based, you may install as many servers as required to meet your needs. |
|
Capacity Max no. of certificates per CA |
SecureWay Directory tested with over 30 million entries. |
|
Security: |
� |
|
Communications to client |
128bit SSL |
|
Communications between CA/RA |
Signed messages from CA to RA using PKIX CMP protocols over TCP/IP. |
|
CA/RA protection (tokens. Passwords, ACL’s, etc.) |
Password or Smartcard authentication for RA Administrators.� Access Control Lists for administrator privileges.� Software modules signed by IBM.� KeyStores in hardware or triple DES encrypted. |
|
Hardware protection of CA root keys?� Specify Yes/No and method |
Yes, IBM 4758 Cryptographic Coprocessor on AIX, certified as FIPS 140-1 Level 4.�� Yes, Smartcards for both AIX and NT. |
|
PKI topologies: |
� |
|
Cross certification methods allowed |
PKIX-CMP for bi-directional cross certification� |
|
If hierarchies are allowed: |
� |
|
What depth?� |
No limit |
|
At what levels can CA’s be cross-certified? |
At any level of the hierarchy |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance? |
Yes, and the root key is preserved. |
|
Multiple RA allowed per CA?� Specify Yes/No and the limit |
No.� |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
� |
|
Face to face |
Yes, out of the box� |
|
Bulk/automated |
Yes, via toolkits� |
|
Web |
Yes, out of the box� |
|
|
Yes, out of the box (RA accepts email) |
|
VPN |
Yes, out of the box� (PKCS 10/7) |
|
Other (specify) |
Pre-registration via RA, user download certificate from client |
|
Device certification direct to CA or requires admin intervention? |
Admin intervention required at VPN (RA can automatically approve cert request) |
|
Can RA interface be customised easily? Method? |
Yes, customise via scripting, additional fields added to registration application via Java Server Pages (html) |
|
Tool kits available? |
Yes.� SecureWay Toolbox includes a complete CDSA compliant cryptographic toolkit and complete PKIX toolkit. |
|
Directory support: |
� |
|
Own directory only or third party? Which third party directories? |
Own Directory.� Also LDAP compliant, so it should interoperate with any LDAP compliant directory. |
|
Own directory provided out of the box? |
Yes, at no additional charge |
|
Can new objects be created on the fly by the PKI? |
Yes |
|
Smartcard/token support: |
� |
|
Which devices/standards? |
Any PKCS #11 or MS CAPI compliant card� |
|
Client protection? |
Trust Authority Client can use real smartcards (via PKCS #11) or virtual smartcard |
|
CA Administrator protection? |
Operating System control only |
|
RA Administrator protection? |
Any PKCS #11 or� MS CAPI compliant card |
|
Key management: |
� |
|
Automatic key update? |
No.� Planned for 1Q 2000 release |
|
Automatic key histories? |
No.� Planned for 1Q 2000 release |
|
Key backup and recovery? |
No.� Planned for 1Q 2000 release |
|
Management interface: |
� |
|
CA Administration – GUI/command line |
Command line |
|
Logging/reporting Built-in reporting or third party? |
Minimal reporting built in.� DB2 Report Writers available from multiple third parties. |
|
Policy-based management? |
Yes, via business process framework, certificate profiles and policy exits. |
|
Multiple CA administrators? |
Yes. |
|
Multiple RA administrators? |
Yes. |
|
Can different administrators be assigned different tasks? |
Yes, for example, one administrator assigned to certificate approvals, and another to certificate revocations. |
|
Interoperability: |
� |
|
Standards supported: |
� |
|
CA |
Ÿ������ X.509v3 certificates Ÿ������ Certificate revocation lists (CRLv2) Ÿ������ Key lengths up to 1024 bits for encryption and key exchange keys Ÿ������ Key lengths up to 2048 bits for CA signing keys Ÿ������ RSA algorithms for encryption and signing Ÿ������ MD5 and SHA-1 hash algorithms Ÿ������ PKIX CMP and CMMF via TCP/IP for communications with the Registration Authority SecureWay Directory LDAP version 3.0, with RFC 1779 syntax Ÿ������ ODBC for communications to database |
|
RA |
Ÿ������ Secure Sockets Layer (SSL) version 2 and version 3, with client authentication Ÿ������ PKCS #10 browser and server certificate request format, with a PKCS #7 response� format or as raw, binary or Base 64 encoded certificate Ÿ������ PKIX CMP certificate format, with a PKIX CMP response Ÿ������ IPSec certificate format Ÿ������ S/MIME certificate format Ÿ������ Browser certificates for: w����� Microsoft Internet Explorer versions 4.x and 5.x w����� Netscape Navigator and Netscape Communicator versions 3.x and 4.x Ÿ������ Server certificates for: w����� Netscape Enterprise Server w����� Microsoft Internet Information Server w����� IBM HTTP Server w����� Apache Server w����� Any which requests via PKCS #10/7 standards Ÿ������ Smartcard certificates (PKCS #11 interface) for: w����� Trust Authority Client application w����� Netscape Navigator and Netscape Communicator versions 3.x and 4.x Ÿ������ LDAP standard for communications with the Directory Ÿ������ PKIX CMP and� CMMF via TCP/IP for communications with the Certificate Authority Ÿ������ PKIX CMP CMMF via TCP/IP for communications with the Client application Ÿ������ PKCS #11 for interface to smartcard key store Ÿ������ ODBC for communications to database |
|
Crypto hardware |
�IBM 4758 Cryptographic Coprocessor Hardware w����� FIPS 140 level 4 requirements for resistance to����������� physical attacks� w����� Support for industry-accepted cryptography standards: w����� DES for encryption/decryption w����� RSA for signing/signature verification w����� PKCS #1 block type 00 w����� PKCS #1 block type 01 w����� PKCS #1 block type 02 w����� MD5 and SHA-1 hash algorithms w����� X9.9 and X9.23 ANSI w����� ISO 9796� Common Cryptographic Architecture (CCA) Provides services for the 4758 coprocessor, including the secure generation of RSA key pairs with modulus lengths as long as 2048 bits, and: w����� SET (Secure Electronic Transaction) w����� DES for encryption and decryption w����� RSA for signing and signature verification w����� MD5 and SHA-1 hash algorithms �Smartcards via PKCS #11 or MS CAPI interface |
|
Directories |
SecureWay Directory (LDAP) |
|
Certificate protocols |
Ÿ������ X509 V3 for certificates, including: Ÿ������ Standard Extensions – These are the extensions defined in RFC2459, such as key usage, private key usage period, subject alternative name, basic constraints, and name constraints. Ÿ������ Common Extensions - Extensions that are unique to Trust Authority, such as host identity mapping. This extension associates the subject of a certificate with a corresponding identity on a host system. Ÿ������ User Defined Extensions - Extensions that an application can use to identify an online validation service that supports the issuing CA. Ÿ������ PKCS #10 browser and server certificate request format, with a PKCS #7 response� format or as raw, binary or Base 64 encoded certificate Ÿ������ PKIX CMP certificate format, with a PKIX CMP response Ÿ������ IPSec certificate format Ÿ������ S/MIME certificate format Ÿ������ Browser certificates for: w����� Microsoft Internet Explorer versions 4.x and 5.x w����� Netscape Navigator and Netscape Communicator versions 3.x and 4.x Ÿ������ Server certificates for: w����� Netscape Enterprise Server w����� Microsoft Internet Information Server Ÿ������ Smartcard certificates (PKCS #11 or MS CAPI compliant)� |
|
Others |
� |
|
Third Party Application Support |
� |
|
Specify key partners or applications that support your PKI products |
Equifax (US) and Datakom (Austria) as Trusted Third Parties.�� Over 50 ISV’s recruited for IBM PKI offerings.� Email, VPN and other applications.� Key applications include Deloitte & Touche Litigation Support System, GemPlus Smartcards, Lotus Notes/Domino, Microsoft Outlook and Exchange, Entegrity SDP, etc. |
|
Is this support via generic methods or proprietary tool kits? |
Primarily via generic methods, although some use proprietary toolkits. |
|
Other notable points/USP’s: |
� |
|
Please provide any additional information which may be pertinent |
First PKI Offering by any vendor based on the IETF PKIX Reference Implementation (Jonah),.which was donated to the Internet community by IBM� The PKIX Reference Implementation is available from www.mit.edu/pfl �available in English, French, German, Spanish, Italian, Brazilian Portuguese, Japanese, Korean, Traditional Chinese and Simplified Chinese |
Click here to return to the Review
Send mail to [email protected] with
|