Certificate support:

Format(s) supported

X.509 v1 and v3

Extensions allowed? 

Standard/private

Almost all (X.509 and PKIX) extensions supported

Custom extensions also supported

Multiple keys/certificates per user?

Specify Yes/No and the number allowed or �no limit�

Yes � no limit

Can certificates be customised? 

Method?

Yes � the CAO includes a full featured GUI based Registration Policy editor, which allows for extensive customisation of certificates.

Revocation methods:

CRL?

Yes

OCSP?

Yes

CRT (Certificate Revocation Trees)?

Via third party product e.g. ValiCert VA that supports CRT

CRL Distribution Points?

Yes

Scalability:

Modularity

Brief description of architecture (i.e. CA/RA on separate machines, etc)

UniCERT v5.0 is a modular architecture with separate modules for the CA and RA, as well as management and interface components like the CAO, WebRAO and Protocol Handlers. � all separate modules that can be co-located or can be run on separate systems

Installation options

Windows NT, Windows 2000, Solaris 8 and HP-UX 11
Note that the CAO is only available on Windows NT and Windows 2000.

Capacity

Max no. of certificates per CA

No limitations on the number of certificates handled by a CA

Security:

Communications to client

Various � PKCS#10/7, PKCS#12, PKIX CMP, SCEP

Communications between CA/RA

PKIX CMP messaging (all signed)

CA/RA protection (tokens. Passwords, ACL�s, etc.)

CA and RA can use software or hardware security modules, with associated access controls. Can split PSE across multiple smartcards � CAO and RAO can use smartcards. 

Hardware protection of CA root keys? 

Specify Yes/No and method

Yes � via any of the following modules (method is specific to the module). Baltimore Technologies Sureware Keyper, Chrysalis Luna CA3, and nCipher nSheild and nForce

PKI topologies:

Cross certification methods allowed

Via PKCS#10/7 and certificate based

If hierarchies are allowed:

What depth? 

Any depth � no limitations

At what levels can CA�s be cross-certified?

Any level

Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance?

Hierarchy can be added to at any time

Multiple CA/RA allowed? 

Specify Yes/No and the limit

Yes � any depth of hierarchy of CAs with unlimited CAs per level. Unlimited RAs per CA.

Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits):

Face to face

Yes � out of box

Bulk/automated

Yes � out of box � and customisable

Web

Yes � out of box

E-mail

Yes � out of box

VPN

Yes � out of box
VPN products using SCEP and PKCS#10/7 supported

Other (specify)

PKIX CMP
Customisable via Advanced Registration Module

Device certification direct to CA or requires admin intervention?

Automatic or Admin intervention

Can RA interface be customised easily?

Method?

Yes � via policies for registration details � and via Advanced Registration Module (ARM) for custom methods

Tool kits available?

Yes - high-level PKI-enabling; protocol- & application- specific (SSL, S/MIME, XML, WAP) and low-level cryptographic-enabling. Available in C or Java.

Directory support:

Own directory only or third party?

Which third party directories?

Third party � any via LDAPv3 � most mainstream directories supported including iPlanet, Critical Path, Siemens, Active Directory, Oracle iDirectory etc.

Own directory provided out of the box?

No � third party directories are used in conjunction with UniCERT

Can new objects be created on the fly by the PKI?

Yes

Smart card/token support:

Which devices/standards?

Via PKCS#11 � e.g. Sureware Keyper, Chrysalis Luna CA3, nCipher nShield/nForce, Datakey, Gemplus, Oberthur, ActivCard, Rainbow etc

Client protection?

Specific to device , but normally pin/pass phrase

CA Administrator protection?

Software / smartcard / token

RA Administrator protection?

Software / smartcard / token

Key management:

Automatic key update?

Will be supported in 5.0.S

Automatic key histories?

Depends on client software

Key backup and recovery?

Yes - via Key Archive Server

Management interface:

CA Administration � GUI/command line

GUI

Logging/reporting

Built-in reporting or third party?

Error and information events are recorded in the operating system logs. Audit information is recorded in signed tables in the Oracle database. Audit and event viewing capability is provided by the product. Other reports can be produced using third party (e.g. Oracle) tools.

Policy-based management?

Yes

Multiple CA administrators?

Yes

Multiple RA administrators?

Yes

Can different administrators be assigned different tasks?

Yes � CA operators can have separation of roles

RAO operators can only use policies they have been allocated

Interoperability:

Standards supported:

X.509, PKIX, PKCS, others (see details below)

CA

PKIX CMP messaging, RSA, DSA, ECDSA etc, devices via PKCS#11

RA

PKIX CMP messaging, RSA, DSA, ECDSA etc, devices via PKCS#11

Crypto hardware

PKCS#11

Directories

LDAPv3

Certificate protocols

X.509 PKIX (RFC2459)

Others

See chart below

Third Party Application Support

Specify key partners or applications that support your PKI products

Wide range � directories, hardware devices, smartcards as above.

Baltimore�s interoperability alliance, Technology Partner Program (www.baltimore.com/partners/technology) currently covers the following companies and sectors:

VPN & Firewall � Cisco, Checkpoint, Nortel Networks, Trustworks, SafeNet, F-Secure

Web Access Management � Secure Computing, Evincible, Kyberpass, Netegrity

Directories � Microsoft, iPlanet, Critical Path, Siemens, Novell, Oracle, Syntegra.

Smartcards & Hardware - ActivCard, Datakey, Gemplus, Oberthur, Giesecke and Devrient, Setec, Schlumberger, Chrysalis-ITS, nCipher.

Tokens � Aladdin, Rainbow

Validation � ValiCert, Kyberpass, CertCo

Secure Forms � eLock, Vordel, iLumin, Conclusive

Wireless � AU System, NTT Docomo, Altamedius, Openwave, Ericsson, Motorola

Is this support via generic methods or proprietary tool kits?

Generic / standards methods � Not proprietary toolkits

Other notable points/USP�s:

Please provide any additional information which may be pertinent

Policy based � very scaleable � flexibility � control � choice

Algorithm

Comments

RSA (512-4096)

Certificates, key generation and internal messaging

DSA (1024)

Certificates, key generation and internal messaging

ECDSA 

Certificates, key generation and internal messaging

MD5

Certificates

SHA-1

Certificates and internal messaging

3-DES

Encryption of private keys

Blum Blum Shub

Random number generator

X.509

Certificate (v1 and v3) and CRL (v2) standard

X.962

Standard for ECDSA

X.3.92

Data encryption algorithm

X9.31-2

Standard for SHA-1

CRL v2

Certificate revocation list standard

RFC 2459

Profile for X509 v3 certificates

PKCS#1

Certificate creation, verification and internal messaging

PKCS#7

Certificate reply, internal messaging

PKCS#8

Private key protection format

PKCS#9

Select object classes and attribute types

PKCS#10

Certificate request syntax including cross certification

PKCS#11

Communication with external cryptographic modules

PKCS#12

Vault to store private keys and certificates

CMP (RFC 2510)

Internal messaging and cross certification

CRMF (RFC 2511)

Internal messaging and cross certification

SCEP

Simple Certificate enrolment protocol (CISCO) 

LDAP

Communication with LDAPv3 directories

SQL

Internal communication

TCP/IP

Internal communication

Common Criteria EAL4

UniCERT v5 will be evaluated to Common Criteria EAL 4

POP3

Remote requests

SMTP

Distribution of certificates and informational messages

HTTP (RFC 2560)

Remote requests

OCSP

Supported through 3^rd party software

FIPS 140-1 level 2/3/4

Supported through 3^rd party hardware

FIPS 186-1

Standard for DSA

FIPS 180-1

Standard for SHA-1

FIPS 46-3

Standard for 3-DES

FIPS 81 CBC

Standard for DES in CBC mode

Send mail to webmaster with questions or 
comments about this web site.
Copyright � 1991-2006 The NSS Group Ltd.
All rights reserved.