 |
|
Safelayer KeyOne 2.1 Checklist
|
Certificate support: |
|
|
Format(s) supported
|
X.509 (v1 and v3), PKCS #7 chain certs. For certificate requests: PKCS #10, self-signed X.509, Safelayer Templates, PKIX CertTemplates, and Netscape's SubjectPublicKey&Challenge. |
|
Extensions allowed? Standard/private
|
Yes � The following extension groups are supported: - X.509v3 standard extensions - PKIX RFC-2459 - Netscape private extensions - Microsoft private extensions - User definable extensions Listed they are: Issuer alternative names Subject alternative names Basic constraints Private key usage period Key usage Extended key usage Netscape certificate type Netscape revocation URL Netscape CA policy URL Netscape comment Subject key identifier Authority key identifier Certificate policies Authority information access OCSP-no-check CRL distribution points User definable extensions are supported and user definable. Supported types are: BOOLEAN, INTEGER, IA5String, OCTET STRING and NULL. |
|
Multiple keys/certificates per user? Specify Yes/No and the number allowed or �no limit�
|
Yes. No limit |
|
Can certificates be customised? Method?
|
By certificate profiles. The number of template policies is unlimited. Templates are CA definable, based also on a definable set of basic templates. Templates can also be serialised to text, in order to facilitate interchanges of templates with different CAs. Issued certificates will content the results of requested data and profile data. |
|
Revocation methods: |
|
|
CRL?
|
Yes (version 1 and version 2). |
|
OCSP?
|
Yes. With Safelayer OCSP Responder, or with third part products like Valicerts OCSP VA. |
|
CRT (Certificate Revocation Trees)?
|
Yes. Via Valicert VA. |
|
CRL Distribution Points?
|
Yes. Also multiple crlDsitributionPoints per certificate are supported. |
|
Scalability: |
|
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc)
|
CA and RA are completely separate modules that can operate in the same machine or separate ones. Connection between can be done in several ways depending on CA connectivity: � by attached e-mail files, when CA is totally off-line. � by client TCP-IP connection when CA is on-line a limited period of time (http and https are suitable to encapsulate the certification batches). � by on-line service in on-line CA situations. In the on-line version, CA can be fed by a RA (separate administrative domain), an LRA (same administrative domain), or by BatchSDK (glue software for third vendor or legacy installations). BatchSDK can also be used in off-line configurations. |
|
Installation options
|
All modules have its own installation wizard and can be installed on the same or different systems. All modules can use the same or different databases. |
|
Capacity Max no. of certificates per CA
|
No limit. |
|
Security: |
|
|
Communications to client
|
Through conventional browsers (Internet Explorer, Netscape Navigator) by default. Configurable to accept mail, file, http and https connections. Data formats accepted for requests are PKCS #10, self-signed X.509, Safelayer Templates, PKIX CertTemplates, and Netscape's SubjectPublicKey&Challenge. For responses are PKCS #7, X.509v3 and PKCS #12. Also can be added user defined structures. |
|
Communications between CA/RA
|
Signed or encapsulated (signed and encrypted) Safelayer Batch format. |
|
CA/RA protection (tokens. Passwords, ACL�s, etc.)
|
Access to sensible internal data is protected either by hardware (see below) or by software on the PSS (Private Secure Store). Database information is access protected by the database own mechanisms (It is not encrypted), with the addition of the Safelayer i3D mechanism which fully protects integrity with asymmetric cryptography. |
|
Hardware protection of CA root keys? Specify Yes/No and method
|
Software keys protected by a password SHA-1 derived 3DES (PKCS #5), PKCS #11 hardware devices, and nCipher (key splitting). |
|
PKI topologies: |
|
|
Cross certification methods allowed
|
Yes � Via X.509 requests. |
|
If hierarchies are allowed: |
|
|
What depth?
|
Any depth. No limit. |
|
At what levels can CA�s be cross-certified?
|
At root level. |
|
Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance?
|
Yes � users will automatically trust a new hierarchy as far as a CA in its trusted chain cross-certify the new hierarchy. |
|
Multiple CA/RA allowed? Specify Yes/No and the limit
|
CAs can be fed by multiple RAs (in separate administrative domains) or by multiple LRAs (in same administrative domain. |
|
Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): |
|
|
Face to face
|
Yes. Out of box with LRA-CA online. Also with BatchSDK toolkits. |
|
Bulk/automated
|
Bulk with RA, LRA or BatchSDK. Automated procedures can be performed with BatchSDK. |
|
Web
|
Yes, out of box with KeyOne Web. Customisable via Scryptor. |
|
|
Yes, configurable via Scryptor. |
|
VPN
|
Yes, using PKCS #10/#7 and available by mid 2001 with the SCEP toolkit. |
|
Other (specify)
|
Customised through the RegistrationApprover API at the RA via Scryptor. Via remote Registration Operators with RRA. |
|
Device certification direct to CA or requires admin intervention?
|
For PKCS #10/PKCS #7 method is configurable. For SCEP will be automatic.
|
|
Can RA interface be customised easily? Method?
|
Yes, via graphic interface for profile definitions. Also can be more deeply customised with Scryptor. |
|
Tool kits available?
|
Yes. For RA/CA interface: In Scryptor language for BatchSDK, in Microsoft's WindowsNT4 and Windows2000, in Sun's Solaris2.6, hp's HPUX11.00, and IBM's AIX4.3.3. For
client cryptography: |
|
Directory support: |
|
|
Own directory only or third party? Which third party directories?
|
Third party. Netscape Directory LDAP Server - iPlanet. |
|
Own directory provided out of the box?
|
N/A |
|
Can new objects be created on the fly by the PKI?
|
Yes. LDAP configuration is based on Scryptor that can be used to easily match any Directory schema with the defined certification structure (certification and naming hierarchies/schemas can be the different). Either CA or RAs can update the Directory. RA does it out of the box. CA can do it by configuration callbacks. |
|
Smart card/token support: |
|
|
Which devices/standards?
|
Tokens with PKCS #11 drivers, some ISO7816-4 cards. |
|
Client protection?
|
Use a virtual high secure store (PSS -SmartToken) that can be built on disk (PKCS #5) and or in combination with smart-cards. All the toolkits work with smart-cards. Safelayer also provides its own formatted smart-card with a RSA's PKCS #11 and Microsoft's CSP interface. Safelayer has been granted by NSA (National Security Agency) export license for Microsoft's CSPs. |
|
CA Administrator protection?
|
Any crypto hardware with PKCS #11 interface. Using nCipher KM devices extra facilities are provided (n from m to activate CA, key splitting, etc.). CA Administrator uses PSS on disk with PKCS #5 and 3DES to protect other data than keys protected in hardware. Administrator access to the PSS can also be implemented in Safelayer smart-cards or any other smart-card/token using PKCS #11. |
|
RA Administrator protection?
|
Same as CA. |
|
Key management: |
|
|
Automatic key update?
|
Depend on clients. |
|
Automatic key histories?
|
Needs callback configuration through Scryptor at the CA. |
|
Key backup and recovery?
|
Needs callback configuration through Scryptor at the CA. |
|
Management interface: |
|
|
CA Administration � GUI/command line
|
Web based GUI and command line Scryptor scripts for key generation. This allows fine grain tuning of request and certificate contents. |
|
Logging/reporting Built-in reporting or third party?
|
Logging available. Reporting supported with third parties software by SQL queries (e.g. Crystal Reports). |
|
Policy-based management?
|
Yes. Both graphical and text. |
|
Multiple CA administrators?
|
Yes. Multiple CA operators, and multiple DB Masters. |
|
Multiple RA administrators?
|
Yes. Multiple Roles: Approvers, Responsibles and DB Masters. |
|
Can different administrators be assigned different tasks?
|
Yes by Roles. In RA, by there are three different roles: responsible (1), approver (N) and master (K). In CA, there are three different roles: responsibles (N to implement n from m set-up of the CA), administrators/officer (1 from h), and masters (k). These roles are fixed, however, and cannot be altered within the KeyOne system. |
|
Interoperability: |
|
|
Standards supported:
|
|
|
CA
|
� Certificate formats: X.509 v3 � Certificate Profiles: contains all available standard extensions. (X.509, PKIX, Netscape, Microsoft) and all them can be combined. � Revocation information: X.509v2 CRL single and multiple Distribution Points, and OCSP. � Certificate issuance: Safelayer Batch. � Key and certificate management: Safelayer Batch, PKCS #7/#10. � Algorithms: RSA, DES, 3DES, SHA1, MD5, RC2, RC4. � Key Transfer: PKCS #1 � Digital Signature: PKCS #1 � Key Storage: PKCS #5, PKCS #8 and PKCS #12. � Database Access: ODBC, Oracle, MS SQL
|
|
RA
|
See CA above. |
|
Crypto hardware
|
PKCS #11, CSP (only as providers, not as users). |
|
Directories
|
Directory Access: LDAP v2 y v3. Directory Schema: any by configuration.
|
|
Certificate protocols
|
X.509 v3 |
|
Others
|
PKCS #12 SSL v3 S/MIME MS CSP SET Smart Cards: - PKCS #11 - Microsoft CSP (strong cryptography) - ISO 7816-4
|
|
Third Party Application Support |
|
|
Specify key partners or applications that support your PKI products |
Off the shelf application/devices: � Web servers/browsers � Out of box support via PKCS #7/#10 and Netscape SPKAC. � E-mail � Off the shelf support via PKCS #7/#10.
Other security frameworks: � Microsoft MS CAPI: Safelayer SmartToken CSP could be used by applications using MS CAPI to access keys and digital certificates. For instance, Microsoft Explorer and Outlook. � PKCS #11: Safelayer SmartToken PKCS #11 could be used by applications using PKCS #11 to access keys and digital certificates. For instance, Netscape Communicator.
|
|
Is this support via generic methods or proprietary tool kits?
|
Generic methods for standard applications. Safelayer Toolkits could be used to enhance third party applications with PKCS #7, S/MIME or SSL functions. |
|
Other notable points/USP�s: |
|
|
Please provide any additional information which may be pertinent
|
Safelayer KeyOne PKI has the additional features: - Support for thousands of user certification requests in the same RA/CA interaction. Current PKIX implementations only support one user request. - Works both in off-line and on-line modes. - Both RA and CA supports smartcard printers (e.g. DataCard). - Support for outsourcing of smartcard generation (memory and cryptographic). - Very flexible certificate and CRL policy editor that allows for customisation of any certificate and CRL design. - Either/Both RA or/and CA may update the Directory. Certification and Directory/Naming schema are independent. - Very flexible customisation and integration in legacy systems using Batch SDK and Scryptor. - PKI X.509v3 certification functions tested under SET/SETCo compliance tests programme. - Database iD3 integrity mechanism. - Flexible web-based GUI with wizards to ease CA and RA installation and administration. |
Click here to go to the Safelayer Pricing
Click here
to return to the Review
Click
here
to return to the PKI Index Section
Send mail to webmaster
with questions or
|