eTrust PKI FAQ's
eTrust
PKI is a digital certification solution that provides strong
authentication, integrity, confidentiality, and non-repudiation to allow
for secure access when working over the web or through the enterprise.
What is PKI?
A PKI (public key infrastructure) enables users of an unsecure public
network such as the Internet to securely and privately exchange data,
communication and currency through the use of a public and a private
cryptographic key pair that is obtained and shared through a trusted
authority. The public key infrastructure provides for digital certificates
that can identify an individual or an organization and directory services
that can store and, when necessary, revoke the certificates. A PKI
comprises a
Certification Authority (CA),
a Registration Authority (RA), a
Directory, and an optional
Hardware Security Module (HSM). An
administrator processes a request via a RA for the CA to either issue
certificates (certs) or revoke them.What is a Digital Certificate?
A Digital Certificate is a signed electronic document, which is issued by
a certification authority to establish the relationship between a name and
a public key. A certificate is often provided as an attachment to an
electronic message used for security purposes. The most common uses of a
digital certificate is to verify that a user sending a message is actually
who they claim to be, and to provide the receiver with the means to
encrypt a reply. The digital certificate provides secure communication,
signing and non-repudiation between the sender and receiver.
What is a Certificate Revocation List?
A Certificate Revocation List (CRL) is a signed document that lists the
serial numbers of the certificates that are still within their validity
period and have been revoked. The time of revocation and the reason for
revocation are included. Certificates that are suspended (on hold) are
also included in the CRL.
What are the trends in adoption of PKI?
The trend is toward increased interoperability of PKIs with off-the-shelf
applications. One of the functions of a PKI is to provide digital
signatures for trusted eCommerce. There is increasing legal recognition of
digital signatures throughout the world as an equivalent to ink signatures
on paper documents. Another important PKI function is to provide stronger
authentication for user access to applications, such as enterprise
SSO.
PKI is also being integrated to provide secure email. The demand for PKI
is also being driven by the need for privacy and integrity of users'
personal data.
How does eTrust PKI differ from other vendors' PKI solutions?
Most PKI solutions on the market today require some third-party
integration that can enable implementing, managing and working with
multiple vendor solutions to receive a PKI. eTrust PKI is a single
vendor solution that is focused on ease of management and ease of
implementation. It does not require additional software like a directory
or database to operate. Furthermore, eTrust PKI is part of a family
of security solutions, which can utilize PKI to provide enhanced eBusiness
benefits, including
eTrust SSO,
eTrust Web Access Control,
eTrust OCSPro
and
eTrust Directory.
Does Computer Associates intend to maintain interoperability with other
vendors' PKI solutions?
Computer Associates supports interoperability between eTrust
security products such as eTrust SSO and standards-based PKI
solutions from other vendors. Any
X.509
compliant certificate should work
with eTrust PKI. Field-developed integration is also possible using
eTrust
APIs.
What value does eTrust PKI add compared with Windows 2000
PKI?
Public key infrastructure offered as part of the operating system
typically provides basic functionality and only gets upgraded or improved
when a new version of the operating system is released. eTrust PKI
provides an
OCSP responder for real-time validation, a highly scalable
directory service and seamless integration to best-of-breed enterprise
single sign-on.
How does eTrust PKI integrate with other eTrust solutions?
eTrust PKI provides strong user authentication with optional use of
smart cards for eTrust SSO, eTrust OCSPro, and eTrust
VPN. In particular, deploying the market-leading enterprise SSO solution
eTrust SSO and eTrust PKI is a winning combination that no
single vendor can match.
How does eTrust PKI provide improved productivity for
administration?
eTrust PKI can improve productivity through a web enrollment
feature that enables a Certification Authority manager to permit an end
user to enter information.
Does eTrust PKI require additional software to offer a
complete Public Key Infrastructure?
eTrust PKI does not require additional third party software other
than the platform operating systems. Everything is included to create,
revoke, validate and manage digital certificates.
How open is eTrust PKI to work with other vendors'
directories?
eTrust PKI is designed to be able to publish certificates and
revocation lists (CRL) to third-party directories that conform to
LDAP,
the industry-standard directory communications protocol.
Does eTrust PKI require eTrust SSO or eTrust
Web Access Control to operate?
eTrust PKI does not require any additional software. It works well
as a stand-alone product. However, enhanced value can be achieved on
securing access for the enterprise and eBusiness in conjunction with
eTrust SSO or eTrust Web Access Control.
What smart card technology does eTrust PKI support?
Currently, eTrust PKI supports Gemplus GPK8000, Gemsafe, Rainbow
iKey 2000, ActivCard and Datakey CIP
smart cards.
Does eTrust PKI support HSMs for root key management?
eTrust PKI supports root key management devices by Chrysalis-ITS
Luna CA3.
