 |
|
De La Rue Interclear ClearCert
|
Certificate support: |
� |
|
Format(s) supported � |
X509 version 3 |
|
Extensions allowed?� Standard/private � |
We have a standard defined set of extensions that we currently implement as a base model. However, most of our customers have different requirements so the provision for private extensions is also catered for. |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or �no limit� � |
Yes: no limit, we generally advise our customers to have different keys for distinct services.� |
|
Can certificates be customised?� Method? � |
Yes: The customer specifies what they require with the guidance from our consultants. |
|
Revocation methods: |
� |
|
CRL? � |
Yes, in accordance with X509 |
|
OCSP? � |
Currently under beta test, but we do have partners that support OCSP if required |
|
CRT (Certificate Revocation Trees)? � |
No |
|
CRL Distribution Points? � |
Yes |
|
Scalability: |
� |
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc) � |
Supports CA and RA on separate machines. We also cater for one or more RAs across different geographical area�s.� |
|
Installation options � |
As an outsourced service provider we handle all the installation process concerning CA and RA services. We also provide an installation team if required at the client site.��� |
|
Capacity Max no. of certificates per CA � |
There are no limitations to the number of certificates per CA. |
|
Security: |
� |
|
Communications to client � |
Communication between the browser and the web server is PKCS 7/10/12 over SSL for session security.��� |
|
Communications between CA/RA � |
Certificate based mutual authentication with specific administrative privileges for specific processes.�� |
|
CA/RA protection (tokens. Passwords, ACL�s, etc.) � |
Administrators must authenticate using hardware tokens. The CA is always hosted in a secure vault.� All RA functions hosted by InterClear will also be in a secure environment, but� if the client hosts the RA system, hardware tokens� are used to authenticate the operators.�� |
|
Hardware protection of CA root keys?� Specify Yes/No and method � |
Yes � support for Zaxus (Racal) and nCipher (secret shares).��� |
|
PKI topologies: |
� |
|
Cross certification methods allowed � |
Via PKIX CMP, PKCS #7/10.� |
|
If hierarchies are allowed: |
� |
|
What depth?� � |
No limitations, but this often depends on application support |
|
At what levels can CA�s be cross-certified? � |
Root only. |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance? � |
Yes, but it requires end users to install an intermediate certificate.� |
|
Multiple CA/RA allowed?� Specify Yes/No and the limit � |
Yes: no limit. Secure remote management is also under development. |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
� |
|
Face to face � |
Yes, De La Rue InterClear have a number of offices world wide that we can use to facilitate face to face registration.� |
|
Bulk/automated � |
Yes, part of the service offering |
|
Web � |
Yes, part of the service offering� |
|
� |
No, but can be customised to offer this facility.� |
|
VPN � |
Only VPN devices that support registration for PKCS 7/10, Cisco CEP/SCEP protocols are not current supported as our base build, but will be catered for in the future. |
|
Other (specify) � |
� |
|
Device certification direct to CA or requires admin intervention? � |
Requires admin intervention |
|
Can RA interface be customised easily? Method? � |
Yes Can be specified by the customer in their PKI build specification criteria.� |
|
Tool kits available? � |
No:- We build the PKI service for the customer |
|
Directory support: |
� |
|
Own directory only or third party? Which third party directories? � |
Own directory only |
|
Own directory provided out of the box? � |
Built to customers' requirements |
|
Can new objects be created on the fly by the PKI? � |
Yes |
|
Smart card/token support: |
� |
|
Which devices/standards? � |
Via PKCS 11, CAPI, Smart Cards that are based on 320/310 |
|
Client protection? � |
Generally PIN or pass phrase but can also support biometric |
|
CA Administrator protection? � |
Smart Card / tokens and Physical security |
|
RA Administrator protection? � |
Smart Card / Password and Physical security |
|
Key management: |
� |
|
Automatic key update? � |
Can be supported depending on policies but key renewal is recommended. |
|
Automatic key histories? � |
Not supported |
|
Key backup and recovery? � |
Supported |
|
Management interface: |
� |
|
CA Administration � GUI/command line � |
Both command line and GUI |
|
Logging/reporting Built-in reporting or third party? � |
Built in logging and reporting and is tailored to customer requirements |
|
Policy-based management? � |
Yes |
|
Multiple CA administrators? � |
Yes |
|
Multiple RA administrators? � |
Yes |
|
Can different administrators be assigned different tasks? � |
Yes |
|
Interoperability: |
� |
|
Standards supported: � |
� |
|
CA � |
Built on commonly used standards in industry e.g. RSA, DES, PKCS, PKIX etc� |
|
RA � |
Built on commonly used standards in industry e.g. RSA, DES, PKCS, PKIX etc� |
|
Crypto hardware � |
PKCS#11, FIPS-1 level 3 |
|
Directories � |
LDAP, DAP |
|
Certificate protocols � |
X509, S/MIME, SSL, IPSec |
|
Others � |
� |
|
Third Party Application Support |
� |
|
Specify key partners or applications that support your PKI products � |
All commercial applications that support X509 v3 certificates� |
|
Is this support via generic methods or proprietary tool kits? � |
Generic in most cases but sometimes dictated by the product vendor |
|
Other notable points/USP�s: |
� |
|
Please provide any additional information which may be pertinent � |
We are not traditional product vendors as the service provided is tailored to specific customer needs.� Certificates and RA functions are all branded to reflect the customer's brand. The burden of PKI implementation and operation is taken out through extensive outsource services that we provide e.g. legal, consultancy, support desk, custom build team, CA management, RA management, Policy Definition� etc. This managed service allows the customer to concentrate on their own business, while still having total control� over the PKI rules and regulations.�� |
�Click here to return to the Review
Send mail to webmaster
with questions or�
|