 |
|
BT Ignite Managed PKI 5.4.1 Checklist
|
Certificate support: |
|
|
Format(s) supported |
PKIX X509 v3 |
|
Extensions allowed? Standard/private |
Yes Both |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or �no limit� |
There is technically no limit on the number of certificates per user, and certificates are now provided on a per seat basis (i.e. per person) depending on the application the customer requires. Typically a single certificate is provided with Managed PKI Single Application, and multiple certificates with Managed PKI where multiple CA�s are provided. Dual key pair certificates provided via key manager are counted as a single seat. |
|
Can certificates be customised? Method? |
VeriSign provide significant customisation of certificates through an easy to use point and click GUI interface which is the Policy Wizard. On an individual custom basis, BT Trust Services will create and support custom configuration files for specific customer certificate content requirements. |
|
Revocation methods: |
|
|
CRL
|
Managed PKI provides CRLs in PKCS#7, LDIIFv3, and X509 Binary (with X509 v3 available on an individual customer basis) CRLs are provided as standard on a daily basis, and hourly via the Premium Revocation option. |
|
OCSP
|
OCSP is provided via an OCSP responder at the Processing Centre in Cardiff |
|
CRT (Certificate Revocation Trees)? |
Not supported |
|
CRL Distribution Points? |
Supported |
|
Scalability: |
|
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc) |
Trust Services provides a managed service with CA hosted in secure facilities at the Trust Services Operations Centre. RA functions are either hosted by BT (for Managed PKI Lite) or locally on separate machine(s) on customer premises depending on the customers required configuration. The service is fully scalable to millions of end users. |
|
Installation options |
Depending on customer requirement, the customer may install their own Managed PKI Lite service. All Managed PKI installations (including Single Application and Full) will be installed by BT. Additional custom integration and application development work can also be provided by BT Ignite solutions. |
|
Capacity Max no. of certificates per CA |
No constraints on the number of certificates per CA |
|
Security: |
|
|
Communications to client |
PIN pick-up provided via email, also requiring the presentation of corresponding CSR/private key for retrieval for end users of Managed PKI. |
|
Communications between CA/RA |
Secured transaction |
|
CA/RA protection (tokens. Passwords, ACL�s, etc.) |
RA protection (optional use by customer) using smart cards, or other compatible tokens. CA�s are held on Luna (II) CA tokens |
|
Hardware protection of CA root keys? Specify Yes/No and method |
Luna (II) CA tokens requiring X of Y key shares to access. (X and Y usually 3 of 5, but any combination can be specified for specific customer requirements) Luna (III) CA for off line Root CA to be generated at 2048 key modulus is supported for specialist customer requirements, but not recommend for most customers because of browser and application limitations. |
|
PKI topologies: |
|
|
Cross certification methods allowed
|
Hierarchical PKI supported today, which is the only currently supported methodology in existing commercial applications today. |
|
If hierarchies are allowed: |
|
|
What depth? |
There is no limit to the depth of CA hierarchy that could be supported, however, limitations on client and application software dictate that 4 layers are usually the maximum that would be recommended to customers. |
|
At what levels can CA�s be cross-certified? |
Theoretically at all levels, but the practical implications of doing so would probably dictate that it would be easier to replace the hierarchy with new CA�s and issue new end user certificates. |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance? |
Subordinate and Intermediate CA�s can easily be added to an existing hierarchy. Where superior CA�s require to be hierarchically joined, this theoretically could be achieved by recertification of each superior CA by the other, or by the introduction of an uber root at the top of the hierarchy. |
|
Multiple CA/RA allowed? Specify Yes/No and the limit |
Yes (including multiple Jurisdictions RA�s on a custom basis. This allows for some differences of certificate format under a single issuing CA, for example to permit Client and Device IPSec certificate formats to be issued under a single CA) No limitations known |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
|
|
Face to face |
Yes (out of box) |
|
Bulk/automated |
Yes (out of box) |
|
Web |
Yes (out of box) |
|
|
Yes (out of box) |
|
VPN |
Yes (out of box) |
|
Other (specify) |
|
|
Device certification direct to CA or requires admin intervention? |
Both can be supported |
|
Can RA interface be customised easily? Method? |
Yes, using Local Hosting, Passcode Authentication and / or Auto Admin module, which provides full API�s for RA functionality, or via specific integration toolkits (previously known as Go Secure! ) for Microsoft Exchange, Lotus Notes, Checkpoint, Web Applications etc. |
|
Tool kits available? |
Via Certificate Validation Module, Certificate Parsing Tool, directory Integration Module |
|
Directory support: |
|
|
Own directory only or third party? Which third party directories? |
Own and via Directory Integration toolkit into any LDAP standard compatible directory. Includes Microsoft Exchange (including Exchange 2000 using LDAP interface and middleware) |
|
Own directory provided out of the box? |
Yes |
|
Can new objects be created on the fly by the PKI? |
No |
|
Smart card/token support: |
|
|
Which devices/standards? |
International Standards ISO7816-1/2/3 compliant PKCS compliant PC/SC workgroup Specifications compliant X509 certificate compliant |
|
Client protection? |
SmartCard or USB token protection standard options available. |
|
CA Administrator protection? |
SmartCard (optional usage by customer) |
|
RA Administrator protection? |
SmartCard (optional usage by customer) |
|
Key management: |
|
|
Automatic key update? |
No (not supported by existing commercial applications) |
|
Automatic key histories? |
No (not supported by existing commercial applications) |
|
Key backup and recovery? |
Yes, provided via Key Manager. Dual Key pair certificate creation for use with other vendor applications is supported on an individual customer basis |
|
Management interface: |
|
|
CA Administration � GUI/command line |
Web interface |
|
Logging/reporting Built-in reporting or third party? |
Build in reporting function in Administrator Control Centre |
|
Policy-based management? |
Yes |
|
Multiple CA administrators? |
Yes |
|
Multiple RA administrators? |
Yes |
|
Can different administrators be assigned different tasks? |
Yes |
|
Interoperability: |
|
|
Standards supported: |
|
|
CA |
VeriSign Managed PKI provides advance web-based configuration and policy wizards, administration and support tools, report generators and applications integration modules to provide full control over CA�s and to provide links to the Trust Services Certificate Processing Centre. Managed PKI�s capabilities provide full support for end-user registration and certificate renewal with screens customised to an organisation�s specific look and feel. |
|
RA |
Management of the lifecycle process for enrolling, approving, revoking and renewing certificates is performed through the Control Centre, giving the organisation full control of the registration and authentication process. With Managed PKI, the RA functions, such as certificate approval, revocation, audit and day to day management, can be distributed to unlimited administrators, providing for complete separation of administrative roles. This ensures that there is no single point of control for all aspects of defining, approving and revoking user keys and certificates minimising security breaches. |
|
Crypto hardware |
FIPs 140 � L2 |
|
Directories |
LDAP, X500, Exchange SQL, or legacy technology. |
|
Certificate protocols |
X509, S/MIME, SSL, IPSec |
|
Others |
|
|
Third Party Application Support |
|
|
Specify key partners or applications that support your PKI products |
VeriSign technology is supported by a number of key partners such as Microsoft, Lotus, IBM, Netscape, RSA etc. VTN root keys are embedded in all major browser software including Microsoft and Netscape. |
|
Is this support via generic methods or proprietary tool kits? |
Dictated by the product vendor and their compatibility to applicable standards |
|
Other notable points/USP�s: |
|
|
Please provide any additional information which may be pertinent |
BT Ignite Trust Services has recently been awarded tScheme approval, and are in dialogue to provide level 2 authentication personal certificates for the Government Gateway Scheme. BT Ignite Trust Services provide a Managed Service for PKI, which operates on standards based hardware and software platforms. Customers can therefore deploy services quickly with minimum set up costs. Customers also benefit from the scale of the operation hosted by a PKI specialist centre such as the Trust Services Key Management and Processing Centres, and the liability assurance provided by a major provider such as BT, without the need to provide their own services and security infrastructure. Customers may select either private hierarchy or issue certificates under the VeriSign Trust Network. |
Click here to go to the BT Pricing
Click here
to return to the Review
Click
here to return to the PKI Index Section
Send mail to webmaster
with questions or
|