 |
|
BT Ignite Managed PKI 4.5.1 Pricing
Since we last looked at this product (originally called OnSite), pricing has moved from a �per certificate� to a �per seat� basis. A seat is defined as �one or more valid (unexpired, unrevoked) end user certificate(s) held by an individual user.
This is intended to provide a more managed service approach, allowing for customers who lose or need to revoke their certificate, for example through PC rebuild or theft, to receive a replacement free of charge during the 12 month contracted licence period. The number of certificates provided per individual end user is determined by the solution selected.
Note that new price breaks on the MPKI Lite product now allow a cost-effective PKI to be established for as few as 25 users.
To 1000 Seats
For customers with a requirement which will not exceed 1000 seats �MPKI Lite� is recommended. Where the requirement may exceed 1000 seats in the future, or greater automation or customisation is required, MPKI may be a preferable solution:
MPKI Lite
VeriSign MPKI Lite is suitable for customers with applications of 1,000 users or less where an easy to use, off the shelf solution is required. The volume choice now starts at just 25 seats. It includes one certificate seat per user, and supports a maximum of 1,000 users. It includes:
Access to BT Trust Services MPKI services administrator helpdesk support
Access to BT Trust Services PKI Infrastructure
Certificate Validation Module Software (free)
Certificate Parsing Module Software (free)
One Manual Administrator Kit (optional - available free with 500 and 1000 seat options in the UK)
Local Hosting is no longer available with MPKI Lite.
Sample prices for the following quantities of users:
25 �2,500 per annum
50 �3,750 per annum
100 �5,000 per annum
500 �6,500 per annum
1000 �8,500 per annum
MPKI Lite service provides customers with certificates issued under a Private branded online CA, or under the BT public online CA for MPKI Lite signed under the VeriSign Trust Network root. It is purchased directly from the Web Site and does not require installation by BT. However, for customers who are not confident to perform this set up on their own, assistance is offered at a set rate of �3,750 per MPKI Lite installation.
Where MPKI Lite is required for IPSec client and device end users under a single installation, two jurisdictions will be provided for the customer to vary the certificate content for the end user device type at no additional charge.
Over 500 Seats
For customers with a requirement of more than 500 seats, increasing above 1,000 over time, the main MPKI portfolio is recommended. This is also more appropriate where the customer requires a greater degree of automation, integration or customisation to meet their business requirements.
MPKI Portfolio
The MPKI portfolio provides customers with a chained PKI hierarchy. Standard configurations for hierarchies are as follows:
As a Private hierarchy this includes an online customer CA and offline customer root.
Under the public hierarchy (VeriSign Trust Network) this is a co-branded online CA chained through a BT intermediate offline CA to the VeriSign offline root.
Further hierarchy configurations are available, the theoretical maximum number of vertical CA�s being four (restricted only because of browser chaining limitations) with no limit known for the number of CA�s created horizontally under a single superior CA.
Having decided on a Public or Private hierarchy, the customer chooses either a Single Application or full MPKI service. With each application CA, customers may then chose one of several application integration options (previously known as Go Secure! options) for each CA. They may also select additional service extensions, such as revocation options, key manager, custom configuration files and jurisdiction files as described below.
MPKI Single Application
MPKI Single Application service is designed for customers requiring the ability to issue certificates to end users under a single CA for a single application, such as trusted web access control or secure email, but not both. Under MPKI Single Application, the definition of Seat means one current, unexpired, unrevoked certificate which may be replaced during the period of the service contract as described above (two for use with dual key pairs) per user offering. Certificates can be provided for applications using SSL, S/MIME or IPSec certificates.
MPKI Single Application can subsequently be extended by the addition of subordinate and intermediate CA�s under the original root to provide a full MPKI solution for a customer. It provides a relatively low entry level for customers with a single application who want the advanced functionality of full MPKI, and the option of a migration path to expand into providing other end user services in the future.
The customer is provided with one MPKI account and one copy of the included software listed below. A typical standard configuration includes:
Access to BT Trust Services MPKI services administrator helpdesk support, maintenance and software upgrades
Access to MPKI managed service platform, system services and network capacity allocation
Certificate Validation Module Software (free)
Certificate Parsing Module Software (free)
One copy of the following standard service software
Local Hosting Module
Automated Admin Module and/or Passcode Authentication
Directory Integration Module
One Automated Administration hardware kit (Luna II card and reader)
Two Manual Administration Kits
One certificate Seat per user (two certificates for dual key pair usage)
Choice of one Application Integration Toolkit (previously Go Secure!)
Annual licence pricing for the following quantities of users:
500 �24,000 per annum
1,000 �35,000 per annum
2,000 �50,000 per annum
5,000 �80,000 per annum
10,000 �103,500 per annum
100,000 �253,500 per annum
1,000,000 �866,500 per annum
Where MPKI Single Application is required for IPSec client and device end users under a single CA, two jurisdictions will be provided for the customer to vary the certificate content for the end user device type at no additional charge.
CA activation and set up, and installation work to configure the MPKI service to the customers application on the customer premises is provided by BT and is charged as a one off installation cost in addition to the annual licence fee dependent on the customer application to be integrated. This includes the preparation of the CA, Custom Key Ceremony and integration of additionally selected Application Integration Toolkit.
Example installation charges per CA:
|
Seats |
With web apps integration |
With any other integration |
|
500 |
�10,000 |
�16,260 |
|
1,000 |
�12,500 |
�18,750 |
|
2,000 |
�12,500 |
�18,750 |
|
5,000 |
�12,500 |
�18,750 |
|
10,000 |
�15,000 |
�21,250 |
|
100,000 |
�18,750 |
�25,000 |
|
1,000,000 |
�22,500 |
�28,750 |
MPKI
MPKI full enables multiple secure corporate applications such as secure email, intranets, extranets, and web access with digital certificates. It allows corporations to set up their own Public Key Infrastructure (PKI) quickly, easily, and cost effectively. BT Trust Services provides all of the certificate lifecycle services, application support, and management tools required to operate a robust business-class PKI. Under MPKI full, the definition of Seat means a current, unexpired unrevoked certificate for each application per end user (two for use with any dual key pair applications). Certificates can be provided for applications using SSL, S/MIME or IPSec certificates.
A typical standard configuration would provide the customer with one MPKI account per CA, and the licence to use all standard available software with the service for the number of CA�s they have commissioned.
Access to BT Trust Services MPKI services administrator helpdesk support, maintenance and software upgrades
Access to MPKI managed service platform, system services and network capacity allocation
Certificate Validation Module Software (free)
Certificate Parsing Module Software (free)
The following standard service software
Local Hosting Module
Automated Administration Module and/or Passcode Authentication
Directory Integration Module
Automated Administration hardware kit (Luna II card and reader)
Manual Administration Kits
One certificate Seat per user application CA (2 certificates for dual key pair usage)
Choice of one Application Integration Toolkit per application CA (previously Go Secure!)
Indicative annual licence pricing for MPKI full is provided based on typical standard configurations, but in practice implementations are in most cases tailor made to specific customers requirements:
|
Seats |
Standard list price per annum |
CA�s included as standard |
Manual admin kits |
|
1,000 |
�35,000 |
2 |
4 |
|
2,000 |
�50,000 |
2 |
4 |
|
5,000 |
�80,000 |
2 |
4 |
|
10,000 |
�103,500 |
4 |
8 |
|
100,000 |
�253,500 |
6 |
12 |
|
1,000,000 |
�866,500 |
8 |
16 |
As for MPKI Single Application, for IPSec client and device end users under a single CA, two jurisdictions will be provided for the customer to vary the certificate content for the end user device type at no additional charge.
CA activation and set up, and installation work to configure the MPKI service to the customers application on the customer premises is provided by BT and is charged as a one off installation cost in addition to the annual licence fee dependent on the customer application to be integrated. Pricing is as described for MPKI Single Application.
Options 1: Applications Integration toolkits
Customers may chose one of the following options currently offered by BT from the VeriSign Applications integration suite for each CA. The cost of this option is included in the annual standard licence fee:
Trusted Web Transactions (previously Go Secure!)
for Web Applications which includes passcode authentication and Personal Trust Agent modules
Trusted Messaging (previously Go Secure!)
for Microsoft Exchange which includes Exchange client and directory integration tools, and
for Lotus Notes which includes Notes client and directory integration tools
Trusted IPSec
for Checkpoint
A SCEP responder is available for customers using IPSec protocol with CISCO devices
Additional solutions from the VeriSign suite are also available for larger customer solutions for SAP and Nortel.
BT additionally works with customers to offer Custom Identrus integration, but this solution is not in any way associated with the VeriSign offering previously known as Go Secure! for Identrus or Identrus Express.
Options 2: Extended Services
Customers may also chose any of the following additional Extended Management Services above the standard service offering:
Revocation options
BT offers two revocation service upgrades to the standard product:
Premium Revocation, which enables MPKI (and Single Application) customers to upgrade the frequency of the refresh rate for the Certificate Revocation List (CRL) from 24 hours to hourly for each of their CA's
OCSP, which enables customers to check certificate revocation status in real time using OCSP protocol.
Sample prices per annum for the following quantities of users:
|
Seats |
Premium Revocation |
OCSP |
|
1,000 |
�3,000 |
�4,000 |
|
2,000 |
�4,000 |
�5,500 |
|
5,000 |
�6,000 |
�11,000 |
|
10,000 |
�8,000 |
�16,000 |
|
100,000 |
�20,000 |
�70,000 |
|
1,000,000 |
�67,500 |
�260,000 |
Key Manager
Key Manager provides MPKI (and Single Application) customers with a complete centralised key management solution. This solution has three main functions:
Generation and distribution of end user keys and certificates
Back up of private encryption keys
Recovery of those keys and certificates.
This product is appropriate for MPKI (and Single Application) customers who want to enrol for certificates on behalf of their end users and/or for customers who want to have back-up and recovery for encryption private keys.
Key Manager will operate in single and dual key pair mode with Microsoft Exchange. Currently, only single key pair mode for Lotus Notes R5.
Sample prices for the following quantities of users:
|
Seats |
Annual KRS licence |
Set Up one off fee |
|
1,000 |
�20,000 |
�10,000 |
|
2,000 |
�26,500 |
�12,500 |
|
5,000 |
�46,500 |
�15,000 |
|
10,000 |
�56,500 |
�15,000 |
|
100,000 |
�100,000 |
�18,750 |
|
1,000,000 |
�267,000 |
�18,750 |
Customisation
In addition to the above, a number of commonly requested customisations are available from BT for specific customer requirements:
Custom Configuration Files � to enable non-standard and optional x509 extension requirements for specific customer applications
Multiple Jurisdictions � to enable certificate for the same common application to be issued with different parameters. Typically this function is used where client and device IPSec certificates are required to be issued under the same CA, or where organisational departments or closed user group member companies need to authenticate their own end user community under a common single CA.
Enhanced Service Management � additional reporting and alarms to custom specification via the helpdesk.
Root CA generation at 2048 key modulus � While most current browser technology restricts the length of keys which can be read to 1024, certain custom applications software in use by customers supports this, and subsequently BT is able to offer Root CA generation at 2048 key modulus to future proof customer�s existing PKI hierarchies. BT currently only supports Certificate Signing at 1024bit.
VeriSign Portfolio
While not generally offered as part of the standard BT portfolio, VeriSign offers a number of other enhancement services which BT is able to provide on a customer request basis. These include:
Digital Notarisation
Roaming
Desktop encryption
Click here to
go to the BT Checklist
Click here
to return to the Review
Click
here to return to the PKI Index Section
Send mail to webmaster
with questions or
|