 |
|
|
Certificate support: |
|
|
Format(s) supported
|
Base certificate format conforms to requirements of X.509v3. |
|
Extensions allowed? Standard/private
|
Extensions are allowed, both those standard extensions required by: � X.509v3 extension support � PKIX Certificate Profile compliance (optional) � FPKI compliance (optional)
Custom extensions can be provided on a per certificate and/or default template (i.e. for Netscape vs. Microsoft) basis. Custom extensions are automatically reflected in RA enrolment process. Default templates provided for Enterprise, Web, SET, VPN, PKIX compliance and FPKI compliance.
|
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or �no limit�
|
Multiple keys/certs per user is supported: � Default is two key pairs/certificates per user. � VPN defaults to single key pair/certificate � Web (off-the-shelf) defaults to single key pair/certificate � Toolkits allow issuance of multiple certs (no limit) per user |
|
Can certificates be customised? Method?
|
Yes. As described above, certificate extensions can be customised. RA can be prompted to input the specific extension value during customisation or a particular value can be defaulted. Templates can be defined and selected during registration. |
|
Revocation methods: |
|
|
CRL?
|
Yes. In accordance with X.509: distribution points as well as optional single large CRL for interoperability |
|
OCSP?
|
Yes. In conjunction with Valicert Responder |
|
CRT (Certificate Revocation Trees)?
|
Yes. Via Valicert Responder |
|
CRL Distribution Points?
|
Yes. Single CRL option simultaneously supported |
|
Scalability: |
|
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc)
|
CA and RA are separate entities. The CA (Entrust/Authority) operates on a single workstation with multiple RAs (Entrust/RA) that can be run remotely and simultaneously. Communication is done between RA and CA via secure session which can be done over the Internet. Entrust/RA is used for Registration, Administration and Security Officer interactions requiring authenticated users. The RA Toolkit (Entrust/RA Toolkit) can be used to integrate RA functionality into other applications |
|
Installation options
|
See above. All server components can be installed separately and run on separate workstations. |
|
Capacity Max no. of certificates per CA
|
1,000,000 users (multiple certs per user) in 5.0. Entrust state they have tested the PKI to 5 million users in the lab. (250,000 users/500,000+ certificates in 4.0) To further enhance scalability, user key histories can be archived to free up resources. In addition, multiple CAs can be installed and cross-certified to further increase scalability. Multiple CA�s can also be installed on the same machine. |
|
Security: |
|
|
Communications to client
|
Communication between the CA (Entrust/Authority) and Entrust-Ready applications are done via Entrust�s client plug-in (Entrust/Entelligence) and is secured with SPKM/GSS-API session security using the PKIX-CMP protocol. Communication with off-the-shelf web servers and browsers is done via the PKIX 7/10 protocol (with optional SSL session security). Communication with off-the-shelf VPN devices is through PKCS 7/10 or CEP (Cisco Enrolment Protocol for Cisco devices) or SCEP. |
|
Communications between CA/RA
|
Communication between CA and RA is protected by SPKM/GSS-API session security. RAs must authenticate with their Digital ID and token based access to the RA console is supported. In addition, both RA and CA enforce the specific administrative privileges (what each RA can do can be customised). |
|
CA/RA protection (tokens. Passwords, ACL�s, etc.)
|
Administrators must authenticate using their Digital ID. Token authentication is also supported. Specific per-RA privileges can be defined and automatically enforced. Security Officers also authenticate remotely requiring no direct connections to the server running the CA. |
|
Hardware protection of CA root keys? Specify Yes/No and method
|
Hardware protection of the CA keys is supported as an option. Supported devices include Chrysalis, Zaxus (formally Racal) and Atalla (nCipher certified with Release 5.1 4Q00)This can be used to extend the software-only FIPS 140-1 Level 2 certification to Level 3 |
|
PKI topologies: |
|
|
Cross certification methods allowed
|
Both peer-to-peer cross certification and hierarchies are supported. Hybrid networks of both types are also supported. Support for both PKCS 7/10 and PKIX-CMP for execution of these topologies are provided. Entrust/Entelligence and toolkits perform full trust path processing including policy constraints. |
|
If hierarchies are allowed: |
|
|
What depth?
|
No limit
|
|
At what levels can CA�s be cross-certified?
|
Root only |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance?
|
Yes. Note, joining a hierarchy after a CA is created requires re-issuance of certificates to end users (not an Entrust requirement � this is a requirement of the hierarchical trust model). To facilitate this, Entrust allows for users� key histories to be transferred from one CA to another |
|
Multiple RA allowed per CA? Specify Yes/No and the limit
|
Yes. No limit to the number (GUI designed to handle any number). Simultaneous remote connections to the CA only limited by host workstation and operating system. |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
|
|
Face to face
|
Yes. Users can present themselves to the RA and their Digital ID and optional smartcard can be provided on the spot. Alternatively, they can be provided with a shared secret (termed �activation code�) with which to return to their workstation and use to create their keys and certs. |
|
Bulk/automated
|
Yes. Bulk files can be processed for most user administrative acts (registration, deletion, renaming, revoking, etc.) In addition, an API is available with the RA Toolkit with which these administrative functions can be integrated into existing applications and processes. |
|
Web
|
Self-service web registration is provided whereby the user simply navigates to a registration page, completes the requisite application and then automatically has their Digital ID created. |
|
|
Registration requests can be received via e-mail. This can result in an e-mail response with the actual Digital ID or the shared secret or Activation Code with which to complete the registration process and create the Digital ID subsequently. |
|
VPN
|
Yes. Most VPN devices have their own registration mechanism using PKCS 7/10 or Cisco�s CEP/SCEP protocols which Entrust supports. |
|
Other (specify)
|
Automated recovery via Web when a user forgets their password or breaks/loses their smartcard. This optional capability eliminates the need for specific administrator intervention when this event occurs. |
|
Device certification direct to CA or requires admin intervention?
|
Certification is done automatically as long as authenticating information is available (i.e. shared secret or activation code). Otherwise, admin intervention is required to authenticate the user before certification. |
|
Can RA interface be customised easily? Method?
|
RA interface is customisable : � Specific privileges of each RA can be defined (>100 functions available) with the interface automatically adapting. The definition of each role is available directly from the RA console to those administrators with sufficient privileges to perform this customisation. This enables the organisation to only expose those capabilities appropriate for an administrator�s existing role. � User registration dialogues are also customisable (i.e. what info is captured per user). This allows different registration dialogs to be created for different entities � for example, a web server, versus an end user, versus a router. Prompts for specific custom certificate extensions can also be provided. The DN construction is also completely customisable. |
|
Tool kits available? |
Yes � all Entrust/RA functionality is provided in the RA Toolkit (NT, Unix). |
|
Directory support: |
|
|
Own directory only or third party? Which third party directories?
|
Support is provided for any LDAPv2 or v3 directory Specific directory partners include Compaq, DCL, Lotus Domino, PeerLogic (i500), Innosoft, Critical Path (was ISOCOR), Nortel Networks, Novell, Oracle (Internet Directory), Siemens (DirX). |
|
Own directory provided out of the box?
|
Yes. Entrust OEMs the Peerlogic Live Content/i.500 directory. |
|
Can new objects be created on the fly by the PKI?
|
Schema modification (to be compliant with PKIX requirements), entry addition, entry renaming, etc. is automatic and transparent. Entrust stores certificates, cross-certificates and revocation lists in the directory. Entrust-Ready applications automatically retrieve certificates and CRLs from the directory without user intervention. |
|
Smartcard/token support: |
|
|
Which devices/standards?
|
For smartcards � PKCS 11 v1 and v2. For biometric devices: BioAPI. Devices that have completed certification by Entrust:
Smartcard only: ActivCard, BioNetrix, Datakey, I/O Software, Gemplus, NDS, Rainbow Technologies, Schlumberger, Setec Oy, Sony. Biometrics and Bio/Smartcard: American Biometric Company, BioNetrix, Indicator, Keyware, Mytec Technologies, Precise Biometrics, Sony. Additional devices are currently being tested. |
|
Client protection? |
Entrust-Ready applications have access to the Entrust Digital ID stored on Smartcards and using biometrics devices for authentication (devices as listed above). |
|
CA Administrator protection? |
CA Hardware devices (devices listed above). Physical access to the CA workstation required for basic operations such as starting/stopping the CA processes, collecting backup datasets. All administration operations done remotely via Entrust/RA interface with protection as for RA administration. |
|
RA Administrator protection? |
Use of smartcards for RA authentication is supported (devices listed above) |
|
Key management: |
|
|
Automatic key update?
|
Yes. Auto update of certificates and keys without administrator or user intervention. Key and certificate update is performed according to user policy defined by the RA. Entrust is also capable of automatically updating the CA key pair Necessary for security, the action is executed in a way to be transparent to end users. |
|
Automatic key histories? |
Automatically manages key histories. The user does not need to know which key goes with which encrypted file. Recovery is provided in a single retrieval of the key history in cases where the user loses access to their Digital ID (forgotten password, broken smartcard). |
|
Key backup and recovery? |
Encryption keys only backed up � not the signing key pair. Recovery can be via self-service (based on shared secret without the need for RA intervention) or via RA release (can require multiple approval as defined by customer). Single step recovery of entire key history is provided. Optional CA build provides NO key backup and recovery capability if required. |
|
Management interface: |
|
|
CA Administration � GUI/command line |
Both GUI and command line interfaces are available. Also API. Note that the RA defines Security Policy. CA administration focuses on physical management of workstation � i.e. Backup frequency, services start-up, etc. |
|
Logging/reporting Built-in reporting or third party?
|
All CA and RA actions and status are logged to a secure audit file on CA workstation. Logs can be exported via UNIX Syslog or NT Event Monitor for remote monitoring and notification on user-defined triggers. Built in reports as well as sample reports for third party tools such as Platinum InfoReports are provided. |
|
Policy-based management? |
Extensive policy control is provided: � Key management policy (key/cert lifetime, algorithms, roll-over timing, DN structure, etc.) These control the automated key/cert management. � Client side policy (control password rules, enforced token usage, allowable algorithms, etc.) These are automatically enforced by all Entrust-Ready applications. � RA policy (RA privileges). This automatically configures and enforces the specific set of functions a given administrator is allowed to function. The scope of user visibility is also enforced. � Revocation policy (frequency of CRLs). This configures the automated publishing of revocation information � including the provision to automatically publish upon a revocation action. |
|
Multiple CA administrators?
|
Yes. By default there are three CA administrators. Again, this if for physical configuration issues � i.e. starting up CA services, backup timings, etc. |
|
Multiple RA administrators?
|
Yes. Unlimited. |
|
Can different administrators be assigned different tasks?
|
Yes. As per above, administrator roles can be defined with over 100 customisable functions. This includes the ability to narrow the scope of users that a given RA may administer. Many pre-defined roles are provided. |
|
Interoperability: |
|
|
Standards supported:
|
See Entrust white paper �Entrust�s Open PKI Solution: Interoperability and Standards Support, August 2000� |
|
CA
|
� Certificates and optional extensions: X.509 v3 � Certificate Profiles: Federal PKI (FPKI) and PKIX Profile � both optional � Revocation Information: X.509 v2 CRLs (single and with distribution points. OCSP with Valicert responder � Certificate issuance: PKIX CMP, PKCS 7/10, Cisco Enrolment Protocol (CEP), Simple CEP (SCEP) � Key and Certificate Management: PKIX CMP � Cross-Certification: PKIX CMP and PKCS 7/10 � CA/RA and CA/client session security: GSS-API/SPKM and SSL � Algorithms: RSA, DSA, ECDSA, IDEA, CAST, DES, 3-DES, SHA-1, MD-2, MD-5, RIPEMD, RC2, AES (toolkits only to date) � Audit Log Protection: MAC (FIPS PUB 113) � Random Number Generation: ANSI X9.17 � Key Transfer: PKCS #1 � Digital Signature: PKCS #1 � Key Agreement: Diffie-Helman PKCS #3 � Key Storage: PKCS #5 and #8 � Directory Access: LDAP v2 and v3 ( � Directory Schema: PKIX Directory Schema � Hardware Interface: PKCS #11 v1 and v2 |
|
RA/AutoRA
|
� Certificates and optional extensions: X.509 v3 � Certificate Profiles: Federal PKI (FPKI) and PKIX Profile � both optional � Revocation Information: X.509 v2 CRLs (single and with distribution points. OCSP with Valicert responder � Certificate issuance: PKIX CMP, PKCS 7/10, Cisco Enrolment Protocol (CEP), � Key and Certificate Management: PKIX CMP � Cross-Certification: PKIX CMP and PKCS 7/10 � CA/RA and CA/client session security: GSS-API/SPKM and SSL � Algorithms: as above � Audit Log Protection: MAC (FIPS PUB 113) � Random Number Generation: ANSI X9.17 � Key Transfer: PKCS #1 � Digital Signature: PKCS #1 � Key Agreement: Diffie-Helman PKCS #3 � Key Storage: PKCS #5 and #8 � Directory Access: LDAP v2 and v3 � Hardware Interface: PKCS #11 v1 and v2 |
|
Crypto hardware
|
Hardware Interface: PKCS #11 v1 and v2 |
|
Directories
|
� Directory Access: LDAP v2 and v3 � Directory Schema: PKIX Directory Schema
|
|
Certificate protocols
|
� Certificates and optional extensions: X.509 v3 � Certificate Profiles: Federal PKI (FPKI) and PKIX Profile � both optional
|
|
Others
|
Additional protocol support in toolkits for application to application interoperability: File Encryption � S/MIME, PEM Session Security � GSS-API, SSL, IPSec PKCS#12 (Java toolkit only)
|
|
Third Party Application Support |
|
|
Specify key partners or applications that support your PKI products
|
Off the shelf applications/devices: � Web server/browsers � Off the shelf support via PKCS 7/10 � VPN devices � Off the shelf support via PKCS 7/10 and CEP � E-mail � Off the shelf support via PKCS 7/10 � SET � Off the shelf support via SET protocol � Any applications/devices using PKIX-CMP Entrust-Ready applications/devices: Over 100 vendors providing applications that plug-in to Entrust/PKI with advanced trust and key/cert management. Other security frameworks: � Microsoft CAPI � Via Entrust/Unity product which provides a signed CSP so same DigitalID from Entrust can be used with all CAPI applications as with Entrust-Ready applications. � Netscape Security Framework � Via Entrust/Unity product which provides a PKCS #11 plug-in so same Digital ID from Entrust can be used as with Entrust-Ready applications. � Java/JCE � via Java Toolkit.
|
|
Is this support via generic methods or proprietary tool kits?
|
Off-the-shelf applications/devices do not require any toolkits. Entrust-Ready applications/devices use one of Entrust-Toolkits: File Security, Session security, IPSec Negotiator, Java, Visual Basic, SSL, etc� Entrust provides crypto and algorithms on the user desktop. The ISV therefore includes the necessary calls to the already-present libraries. This includes key and certificate management capabilities and, thus, keeps the toolkit interface very high-level. It also means that the Entelligence client is required on every desktop if advanced functionality such as CRL checking and key histories is to be supported (unless toolkit users implement their own key management) |
|
Other notable points/USP�s: |
|
|
Please provide any additional information which may be pertinent
|
Additional PKI certifications: � Entrust�s PKI crypto kernel has been certified to FIPS 140-1 Level 1 (Release 1 to Release 4) and Level 2 (Release 5) � Entrust/PKI certified to Common Criteria Evaluation EAL3 (UK Itsec) (Release 4 and updated for Release 5) � Entrust/Ipsec toolkit validated by ICSA � Currently undergoing UK government CAPS certification Identrus compliance is provided by Entrust/PKI Release 5 with additional functionality provided by the Entrust Trade Services bundle. Entrust software is available in English, French, Japanese and German with more languages to follow. |
Click here to go to the Entrust Pricing
Click here
to return to the Review
Click here
to return to the PKI Index Section
Send mail to webmaster
with questions or
|