 |
|
| Certificate support: | |
| Format(s) supported | X509 V3, tachograph |
|
Extensions
allowed?
Standard/private |
Yes, User definable. |
|
Multiple
keys/certificates per user? Specify Yes/No and the number allowed or �no limit�
|
The RSA Keon Certificate Authority supports unlimited keys/certificates per user, normally one or two keys (one for signing, the other for encryption) per user are implemented. RSA Keon Web PassPort, allows an unlimited number of virtual cards per user which can each support two certificates with unlimited certificate replacements. |
|
Can
certificates be customised?
Method?
|
Yes, via the RSA Keon Certificate Authority or RSA Keon Registration Authority. These functions are provided under through the administration console pages. |
| Revocation methods: | |
| CRL? | Yes |
| OCSP? | Yes |
| CRT (Certificate Revocation Trees)? | No |
| CRL Distribution Points? | Yes |
| Scalability: | |
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc)
|
The CA and RA software can be installed on the same machine, however in practice, load balancing, resilience, and system security issues encourage that these be separate. A single CA has been independently tested to 8,000,000 certificates. CAs can also be cloned for scalability, performance and availability. |
|
Installation
options
|
Modular approach to installation enabling distribution of CA/RA across multiple geographic locations. |
|
Capacity Max no. of certificates per CA |
Theoretically unlimited. Independently tested up to 8,000,000 certificates. |
| Security: | |
| Communications to client | SSL |
| Communications between CA/RA | SSL |
|
CA/RA
protection (tokens. Passwords, ACL�s, etc.)
|
All CA keys,
Including Root and Subordinate CAs, plus other signers for OCSP or CRLs, can
be protected by an HSM (nCipher or Chrysalis currently, any PKCS#11
compliant HSM in August). All CA and RA keys used for secure SSL
communication can also be stored on an HSM (nCipher). CA and RA
administrators require certificates issued by the appropriate admin CA in
order to access the admin consoles. The appropriate smartcard set must also
be used with the HSM for certain functions. RSA Keon Web PassPort users require the use of password or RSA SecurID token to access their digital credentials. |
|
Hardware
protection of CA root keys?
Specify Yes/No and method |
Yes, HSM. Smart card sets used to control HSM and related CA functions (k of n). HSM is also used for the key recovery. |
| PKI topologies: | |
| Cross certification methods allowed | IETF/PKIX cross-certification via PKCS#7 and PKCS#10. Cross-validation for non-static trust relationships |
| If hierarchies are allowed: | |
| What depth? | Unlimited |
| At what levels can CA�s be cross-certified? | Any |
| Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance? | Yes |
|
Multiple
CA/RA allowed?
Specify Yes/No and the limit |
Yes. Theoretically unlimited. |
| Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): | |
| Face to face | Yes |
| Bulk/automated | Yes. Automated via RSA Keon OneStep. Bulk via �batch driver� or programming/scripting languages. |
| Web | Yes |
| Yes, small customisation requires | |
| VPN | Yes |
| Other (specify) | CMP and RSA Keon CA API also can be used to automate enrolment, or perform bulk operations. |
| Device certification direct to CA or requires admin intervention? | Direct to CA/RA via SCEP. Automated and manual vetting of cert requests is supported |
|
Can RA
interface be customised easily? Method? |
Yes, the admin GUI allows the RA enrolment interface to be customized, the administrator can specify the graphics images to use on the page and the text to display. Larger changes can be made via HTML pages and scripts. |
| Tool kits available? | Yes. |
| Directory support: | |
|
Own
directory only or third party? Which third party directories? |
CA/RA can publish to any LDAP based directory. RSA Keon Web PassPort currently supports Microsoft Active Directory and the Sun One Directory Server (formerly Netscape iPlanet directory) with product release. Other directories such as Novell are supported through our partner program. |
|
Own
directory provided out of the box?
|
RSA Keon CA includes a �Secure Directory Server� used internally, which can also be used to publish certificates and CRLs to. However, customers should purchase a commercial directory server to use as an enterprise directory. RSA Keon Web PassPort does not ship with a directory. |
|
Can new
objects be created on the fly by the PKI?
|
Yes, the user and CA object can be created automatically when publishing a certificate; certificates and CRLs can also be automatically published to existing entries in the directory. |
| Smart card/token support: | |
|
Which
devices/standards?
|
RSA SecurID
token is supported via a Virtual Smartcard. RSA Keon supports standard smart cards for certificate storage via the PC/SC and PKCS#11 standards |
| Client protection? | Yes, any of the above |
| CA Administrator protection? | Admin certificate, protected by any method above. |
| RA Administrator protection? | Admin certificate, protected by any method above. |
| Key management: | |
|
Automatic
key update?
|
Not in current version, user must connect to a web page to update keys and certificates (fully automated planned for next major release of RSA Keon Web PassPort � scheduled for 2004) |
|
Automatic
key histories?
|
RSA Keon Web PassPort allows user to maintain all key history in virtual cards. |
|
Key backup
and recovery?
|
CA has optional Key Recovery Module for end user encryption keys, it makes use of an HSM to protect archived encryption key and ensure multiple administrators are requires to recover the key. For CA keys the Software based keys are backed up with the system and HSM based keys are backed up using the HSM�s native functionality. |
| Management interface: | |
| CA Administration � GUI/command line | Web browser |
|
Logging/reporting Built-in reporting or third party? |
Built in logging in the form of digitally signed XML logs. Can be exported into an XML or CSV file to read with standard tools. |
| Policy-based management? | Yes |
| Multiple CA administrators? | Yes |
| Multiple RA administrators? | Yes |
| Can different administrators be assigned different tasks? | Yes, support of administrative roles as defined by Common Criteria. |
| Interoperability: | |
| Standards supported: | |
|
CA
|
X509V3, IPSEC, PKIX, SSL-LDAP, HTTPS, OCSP, SCEP, CMP, cross-certification, PKCS#7, 10, 11 & 12 |
|
RA
|
X509V3, IPSEC, PKIX, SSL-LDAP, HTTPS, SCEP, PKCS#7, 10, 11 & 12 |
|
Crypto
hardware
|
nCipher (nForce and nShield), Chrysalis Luna CA3, PKCS#11 |
| Directories | LDAP + SSL-LDAP |
| Certificate protocols | X509V3, SCEP, CMP |
| Others | PC/SC PKCS#11 PKCS#12 MS_CryptoAPI SSL SMIME |
| Third Party Application Support | |
|
Specify key partners or
applications that support your PKI products
|
Microsoft
Exchange, Outlook, Internet Explorer, IIS Web Server, Active Directory,
Windows 2000 integration (Smart Card logon etc.) Netscape Navigator, Communicator, Messenger. Checkpoint FW/VPN Cisco VPN 3000 and IOS Router Sun ONE Directory Server (formerly Netscape/iPlanet Directory) Novell eDirectory Nortel Contivity Adobe Acrobat We have well over 100 partner products fully tested and documented at http://rsasecurity.agora.com/rsasecured/results.asp?product_program=105 |
| Is this support via generic methods or proprietary tool kits? | Generic via open standards support. Many of these products use RSA Security's open standards based Crypto toolkits (BSAFE). |
| Other notable points/USP�s: | |
|
Please
provide any additional information which may be pertinent
|
The RSA Keon
CA solution is the first in its category to be certified for Common Criteria
EAL (Evaluation Assurance Level) 4+. Additionally, the RSA Keon CA 6.5 software has been designed to support requirements for digital signing in Europe and Russia as one of the only Commercially available products to support both the European Union (EU) Directive on Electronic Signatures and GOST Public Key Digital Signature Algorithm. RSA Keon Certificate Authority provides real-time status checking of certificates natively and through OCSP. RSA Keon Web PassPort provides the credential mobility and security of a smartcard without the need for a smartcard reader. |
Click
here
to return to the RSA Review
Click here to go to RSA Pricing
Click
here to return to the PKI Index Section
Send mail to webmaster
with questions or
|