Comparison  
     
Encryption and Key Management
 
 
           

View comparison overall rankingView comparison summary scoresView comparison detailed findingsView comparison graphsView comparison notes
   
 
 
  View detailed findings for all Criteria Groups. Please be patient while the data loads.  
View All
 
The current scoring system algorithm is exponential.

    Administration  
    The features and functionality that facilitate the management of the product.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
146 out of 210
Total Score:
1505 out of 2325
  Group Score:
130 out of 210
Total Score:
1264 out of 2325
  Group Score:
100 out of 210
Total Score:
967 out of 2325
 
    Administrative Approach  
    Weight: 3   Weighted Score:
16


  Weighted Score:
12


  Weighted Score:
8


 
      There is an elaborate division of administrative tasks. The site planner is in charge of the installation and deployment. Master users have physical access to the CA host computer, can recover Security Officers and create reports. Security Officers have access to all administrative tasks. They can set the security policy, add and remove Administrators and authorize sensitive operations. Administrators can authorize and revoke user privileges. It is possible to require that several administrators authorize sensitive operations. Also, custom roles can be created for any organizational structure.   Administration and control of the certificates can be split into a large number of roles, as each server can be administered by security personnel, uptime administrators, recovery specialists, and normal user managers. The Console allows administrators and security personnel to control multiple machines if they have the clearances to do so. Roles for each of these tasks should be kept somewhat separate to prevent certificate forging and collusion.   User accounts and certificates can be managed from the Check Point Account Management Client, which orchestrates the third-party products (directory and certificate authority). The Check Point Certificate Authority Account Management program is Entrust/Master Control used, in particular, to start and stop services. The third-party products retain their other administrative client/server interface and administrative users.  
    Administrative Interface  
    Weight: 5   Weighted Score:
64


  Weighted Score:
48


  Weighted Score:
32


 
      The administrative interface, Entrust RA, which is most commonly used, is well designed and allows administrators to easily control all appropriate aspects of their users. Since different roles have different capabilities, the interface's effectiveness depends on what kind of role the user has access to. The interface handles the administration of multiple users, groups and machines easily.   The CMS uses the new iPlanet Console that is now common across all enterprise products, improving efficiency for admins familiar with this interface. The interface is a large improvement over the pre 4.0 release. Management of multiple servers and specific tasks is much easier. The task flow is much improved, and there is very little switching back and forth among multiple windows   Several tasks are only semi-integrated and it is necessary to use the administrative clients of the third-party products and/or the command line, adding to administrative burden.  
    Back Up/Recovery Options  
    Weight: 3   Weighted Score:
16


  Weighted Score:
4


  Weighted Score:
12


 
      Entrust PKI can be configured to perform periodic, automated database backups at off-peak hours. Logs are kept and can be audited. On the client side, the user profile, which contains a complete history of the user's decryption private keys, can be saved on diskettes, or stored on the local servers if designed by the administrators.   Limited backup and recovery options are available, and only include restoring database and directory files from a normal system backup.   Backups are not orchestrated by the Chec kPoint Account Management client. One must rely on the management tools of third party products (certificate authority and directory).  
    Remote Administration  
    Weight: 5   Weighted Score:
48


  Weighted Score:
64


  Weighted Score:
48


 
      The protocol used to protect the remote communication between Entrust/Authority and Entrust/RA is based on the standard GSS-API.   Remote administration can be done with the administration server. The administration server can be configured to use SSL (2.0 or 3.0) and run in secure mode. Hosts which are allowed to access the administration server can be restricted. Under Unix, the whole application can be installed and configured remotely.   Remote administration can be done over the intranet, firewall protected or using SSL on the Internet, with Check Point Account Management client.  
    Performance Monitoring  
    Weight: 2   Weighted Score:
2


  Weighted Score:
2


  Weighted Score:
0


 
      Entrust does not provide complete monitoring, but can monitor some information from the command line.   The certificate server activity can be monitored from the administration server. The absence of graphical display does not make performance monitoring easy.   Check Point does not provide performance monitoring.  
 

    General  
    Basic information about the product.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
188 out of 330
Total Score:
1505 out of 2325
  Group Score:
192 out of 330
Total Score:
1264 out of 2325
  Group Score:
165 out of 330
Total Score:
967 out of 2325
 
    Components Included  
    Weight: 2   Weighted Score:
6


  Weighted Score:
6


  Weighted Score:
6


 
      The following components are included in the PKI package: Entrust/Authority, Informix Database, PeerLogic i500 Directory, Entrust/RA (not /Admin)   The following components are included in the package: Certificate Management System includes a Certificate Manager, Registration Manager and Data Recovery Manager, Directory Server, and Administration server.   The following components are included in the package: Check Point Account Management Client, Netscape Directory Server, Entrust Certificate Authority-Alliance. Other components often used in conjunction: Check Point FireWall-1, CheckPoint SecuRemote Clients.  
    Ease of Installation  
    Weight: 4   Weighted Score:
24


  Weighted Score:
32


  Weighted Score:
24


 
      The installation of the Entrust PKI suite uses a standard installation wizard, which proposes default values and does not require in depth knowledge of the operating system. Uninstallation is standard, as well as backing up to previous choices in the install process. When customizing the installation, things can get complicated and somewhat confusing, because of all the possible choices.   Installation was a simple process of following a standard 'wizard' and providing the system architectural information where needed. The administrator can back up though the process to fix any mistakes. Thought should be but into the installation of the different components, based on possible load and your security infrastructure.   The installation of the VPN-1 Certificate Manager is easy but takes some time. It does not require in depth knowledge of the OS. The user is guided by an installation wizard and has only to choose a few options. It is possible to select default values and run the installation very quickly. Although Entrust/Admin is part of the release package, it does not get installed automatically by the wizard. The platform requirement must be strictly followed. Site planning guidelines are very slim and no installation worksheet is provided.  
    Language Availability  
    Weight: 2   Weighted Score:
6


  Weighted Score:
6


  Weighted Score:
6


 
      English.   English.   English.  
    License Restrictions  
    Weight: 3   Weighted Score:
12


  Weighted Score:
16


  Weighted Score:
4


 
      The number of users is limited by the purchase agreement. The product may be installed on a single computer.   Multiple instances of the server may be run on a single computer. The included iPlanet Directory Server license is restricted for use with Certificate Management System and allows storage of millions per server instance.   Check Point imposes the following license restrictions: The Product may be installed only in combination and for use with FireWall-1 or with VPN-1 Secure Center products from Check Point Software Technologies Ltd. The Product may not used by more than 5000 users.  
    Module Deployment and Scalability  
    Weight: 5   Weighted Score:
48


  Weighted Score:
64


  Weighted Score:
16


 
      There is no limitation on the number of certificates published. It is possible to set up a hierarchy of CA with multiple servers. The method to scale up is well documented.   The Certificate Server can issue up to millions of certificates per server. It is possible to set up a hierarchy of CA with multiple servers.   The basic license includes 5000 users. There is no information available in the documentation about increasing beyong 5000 users.  
    Platform Tested  
    Weight: 1   Weighted Score:
1


  Weighted Score:
1


  Weighted Score:
0


 
      Windows NT 256MB RAM, 8GB HD, PII 333.   Windows NT 256MB RAM, 8GB HD, PII 333   Windows NT 256MB RAM, 8GB HD, PII 333.  
    Product Positioning  
    Weight: 1   Weighted Score:
1


  Weighted Score:
1


  Weighted Score:
1


 
      Entrust's Managed PKI is a cost-effective and easy to use solution that automates all security-related processes in your organization. With Entrust/PKI, users don't need to know anything about security.   iPlanet Certificate Management System is the industry's most scalable e-commerce PKI solution. Certificate Management System provides mission-critical scalability and performance, and is the PKI solution for market leaders in banking, healthcare, manufacturing, telecommunications and insurance. Integrated with iPlanet s market leading Directory Server, Certificate Management System provides the stronger security for web services of iPlanet s end-to-end user management solution for e-commerce, Unified User Management.   The VPN-1 Certificate Manager is a turnkey public key infrastructure (PKI) solution for enabling IPSec/IKE-compliant Virtual Private Networking. It allows organizations to implement secure and scalable VPNs across intranets, extranets, and the Internet, with unprecedented ease.  
    System Requirements  
    Weight: 2   Weighted Score:
2


  Weighted Score:
2


  Weighted Score:
2


 
      Windows NT 4 SP3+, 128MB RAM, Pentium 166 or better, TCP/IP stack.   Windows NT 4.0 or Sun Solaris 2.51or higher. 128MB RAM recommended with 100MB HD.   Windows NT 4 SP3+, 128MB RAM, Pentium 166 or better, TCP/IP stack.  
    Year 2000 Compliance  
    Weight: 3   Weighted Score:
12


  Weighted Score:
12


  Weighted Score:
12


 
      Yes.   Yes.   Yes.  
    Ease of Configuration  
    Weight: 2   Weighted Score:
4


  Weighted Score:
4


  Weighted Score:
6


 
      The server configuration is altered through the administrative interface, as well as modifying the certificate and architectural profiles on the certificate server. All but a few of the alterations can be performed through the administrative interface, and are well organized for most organizational structures.   While the CMS has the capability to configure the installation to meet almost any need, most of the configuration options are custom file creation and modification, rather than built into the GUI.   The server configuration is very simple. It is almost entirely handled by the installation wizard. Re-configuration may be tricky, depending on what the administrator wants to do, because it may require using the administrative tools of the third party products. Not all features are readily available from the Check Point Account Management client.  
    Failover  
    Weight: 4   Weighted Score:
24


  Weighted Score:
0


  Weighted Score:
40


 
      The Entrust PKI can be configured to auto-start all PKI services after an outage without compromising administrator and master passwords.   There is no mechanism provided for recovery from failure. The server is restarted manually.   All the components of the Certificate Manager can be configured to auto-start after an outage.  
    Quality of Documentation  
    Weight: 5   Weighted Score:
48


  Weighted Score:
48


  Weighted Score:
48


 
      The manuals are well written and well organized. They are available in PDF format on the CD and as hard copies. They include a good index and a good glossary. The reference manual is organized into administration tasks, which facilitates understanding the administrative approach. The PKI core products are all well documented, with the writers stating their assumptions clearly. There is no on-line help, just a link to the PDF documents.   The manuals are extensive and cover a large majority of any of the issues that the administrator would come across. They are available in print, PDF. Portions are a part of the online help system.   There is a good, simple quick start manual, with installation instructions and basic information on PKI and how to use the product (hard copy and PDF on the CD). The Check Point Account Management Client has a good manual provided in PDF format on the CD. It has an alphabetical index. The third party components come with their respective manuals in PDF format on the CD. The CheckPoint Account Management Client has an on-line help system.  
 

    Security  
    Security criteria may include, but is not limited to, standards such as SSL and SET, protection of administrative interfaces, user and administrator access, key management (PKI), encryption, authentication, firewalls, virus protection, and other various security tools and features.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
222 out of 340
Total Score:
1505 out of 2325
  Group Score:
154 out of 340
Total Score:
1264 out of 2325
  Group Score:
118 out of 340
Total Score:
967 out of 2325
 
    Administration Security  
    Weight: 5   Weighted Score:
48


  Weighted Score:
48


  Weighted Score:
48


 
      A profile and password identify Master Users and Security Officers. The profile defines their task assignment. Some sensitive operations may need the authorization of several Security Officers. All administration tasks are logged and the logs are digitally signed. GSS-API is used for (remote) Entrust/RA to Entrust/Authority secure communication.   The administrators are authenticated by multiple passwords depending on the task: starting the administration server, starting the certificate server, accessing the administration server, issuing certificates. SSL can be enabled for remote administration. However, administrators are advised against remote administration. The administration server does not shut down automatically after a certain period of inactivity or if an unusual pattern of activity is detected. Administrators are advised to shut it down when it is not in use.   A profile and password identify Master Users and Security Officers. The profile defines their task assignment. Some sensitive operations may need the authorization of several Security Officers. All administration tasks are logged and the logs are digitally signed.  
    Database Encryption for Secure Storage  
    Weight: 2   Weighted Score:
6


  Weighted Score:
6


  Weighted Score:
6


 
      Entrust provides database encryption functionality.   Certificate Management System stores encrypted private keys in the directory in an encrypted format, and all communication with the database or directory is Triple-DES encrypted.   Check Point provides database encryption.  
    Detection of Suspicious Activities  
    Weight: 3   Weighted Score:
16


  Weighted Score:
12


  Weighted Score:
16


 
      The activity logs have 3 levels of audit severity; Log, Event and Alarm. All audit records are coded and have corresponding detailed messages allowing the administrators to correct problems or restore older configurations.   The error logs label some errors as potential security threats, e.g. a client trying to access a page without having the right privileges. There is no security alert mechanism.   The activity logs have 3 levels of audit severity; Log, Event and Alarm. All audit records are coded and have corresponding detailed messages allowing the administrators to correct problems or restore older configurations.  
    Integration with OS Security  
    Weight: 3   Weighted Score:
16


  Weighted Score:
4


  Weighted Score:
4


 
      Good OS security guidelines are provided to strengthen the security of the Entrust/Authority server and the web server user with the Entrust/Web connector. Simple steps are listed.   No real integration. It is possible for the administrator to start and run the server(s) acting as a different user(s). Some OS security guidelines are provided in the documentation, but no automatic check, warnings or enforcement are done. Some system settings can be changed or restored from the admin server.   Nothing is provided by Check Point to help the administrator enhance security for the server or servers which house the different components.  
    Key Splitting  
    Weight: 2   Weighted Score:
0


  Weighted Score:
6


  Weighted Score:
0


 
      Entrust does not provide key splitting.   Yes, Data Recovery Module supports M of N secret splitting for the protection of the storage key pair.   Check Point does not provide key splitting.  
    Password Security  
    Weight: 5   Weighted Score:
64


  Weighted Score:
32


  Weighted Score:
16


 
      Good password security introduction. Flexible password rules can be set by the administrator. The rules are enforced. Passwords are protected by an elaborate hashing algorithm and never directly passed over the network.   Basic guidelines are provided for choosing passwords/phrases. The guidelines are not enforced. There are multiple passwords and password requests involved. This creates a potential security problem in that users will be tempted to write down, duplicate or simplify their passwords, allowing someone to break into the system.   No detailed password choice guidelines are provided. Simple password rules are used and enforced.  
    Secure Distribution of the CA Certificate  
    Weight: 2   Weighted Score:
6


  Weighted Score:
2


  Weighted Score:
2


 
      Good guidelines are provided to distribute the CA certificate securely in a variety of ways.   Secure distribution is possible, but no guidelines are provided. The admin pre-install the certificate on the clients.   Secure distribution is possible, but no guidelines are provided.  
    Secure Software Installation  
    Weight: 2   Weighted Score:
2


  Weighted Score:
0


  Weighted Score:
2


 
      The software is distributed on a CD by the vendor. It is not digitally signed. Administrators are responsible for distributing the client software in a secure manner. There are installation logs, but they are not designed for auditing the installation.   No particular precautions are taken for secure software installation. The software can be downloaded from re-sellers. The software packages are not digitally signed to authenticate them. The software installation requires many complex steps with no installation log.   The software is distributed on a CD by the vendor. It is not digitally signed.  
    Security Lockout Capabilities  
    Weight: 3   Weighted Score:
8


  Weighted Score:
4


  Weighted Score:
4


 
      Administrators are locked out after a period of inactivity and must re-enter their passwords. Repeated failure to provide correct passwords causes the administration programs to exit. However, they can be started again immediately. No other suspicious patterns of activity have lockout consequences.   With repeated failure to provide the correct certificate database password on the client, Navigator produces a warning, but no lockout. Repeated failure to provide correct passwords to start the Certificate Server causes the start program to exit. However, it can be executed again immediately. No other suspicious patterns of activity have lockout consequences.   Administrators are locked out of Entrust administration clients after a period of inactivity and must re-enter their passwords. Repeated failure to provide correct passwords causes the Entrust administration programs to exit. However, they can be started again immediately. No suspicious patterns of activity have lockout consequences. The CheckPoint account manager client does not have any lockout capability.  
    Security Policies  
    Weight: 3   Weighted Score:
12


  Weighted Score:
4


  Weighted Score:
8


 
      Security Officers are responsible for specifying security policies, including the validity period of the various keys and certificates for the user types, the number of administrators required to authorize sensitive operations, and the nature of the functions that administrators are allowed to perform. Support for Policy OIDs, along with extra modules that enable security lockout capabilities.   The validity period of certificates and various other options can be selected from the administration server.   Security policies largely consist in choosing key lifetimes. Support for Policy OIDs is possible in principle via Entrust/Alliance, but it is not specifically supported by CheckPoint.  
    Security Tutorial and Help  
    Weight: 4   Weighted Score:
32


  Weighted Score:
24


  Weighted Score:
0


 
      Entrust provides good, detailed security guidelines for the site planner. Precise instructions for what to do to improve the server security that does not require advanced knowledge of NT.   The install guide has basic security advice. The Administrator's guide has a good cryptography and key management tutorial. Good instructions on how to protect the certificate server. The implementation of the security guidelines requires a good knowledge of the OS, no detailed help provided.   Nothing is provided by Check Point to help the administrator enhance security.  
    Support for Tokens  
    Weight: 3   Weighted Score:
12


  Weighted Score:
12


  Weighted Score:
12


 
      Supports use of PKCS# 11 compliant hardware and software tokens.   iPlanet supports use of PKCS# 11 compliant hardware and software tokens.   Check Point supports PKCS#11 hardware and software tokens.  
 

    Customization  
    The features and functionality that facilitate tailoring or modifying of the product.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
47 out of 75
Total Score:
1505 out of 2325
  Group Score:
39 out of 75
Total Score:
1264 out of 2325
  Group Score:
12 out of 75
Total Score:
967 out of 2325
 
    API and SDK  
    Weight: 1   Weighted Score:
5


  Weighted Score:
3


  Weighted Score:
0


 
      Entrust has multiple APIs and SDKs for each of their component products, which allows a high level of custom development for companies that need custom programmatic solutions to their Encryption and Key Management solutions.   A Java API is provided for configuring modules to work with the CMS.   No API or SDK is provided directly, though the third party products do have APIs and SDKs available.  
    Certificate Customization  
    Weight: 4   Weighted Score:
24


  Weighted Score:
24


  Weighted Score:
0


 
      X.509 v3 extensions supported. The Flexible Certificate Specifications are stored in an ASCII file that can be edited by hand.   X.509 v3 extensions allow organizations to add their own attributes, or site-defined information, to the contents of certificates.   Check Point does not support certificate customization.  
    Configurable GUI  
    Weight: 2   Weighted Score:
6


  Weighted Score:
0


  Weighted Score:
0


 
      There are multiple ways to configure the GUI for different purposes: user registration fields are customized based on the user extension values needed and the naming convention chosen by the customer. Through RA Policy Control, the GUI is dynamically altered to just display the operations and users that a high-level administrator wishes to assign to a particular administrator or administrative task.   The GUI uses the iPlanet Console, which currently does not support custom configurations.   Check Point does not include a configurable GUI.  
    Application Performance and Optimization  
    Weight: 3   Weighted Score:
12


  Weighted Score:
12


  Weighted Score:
12


 
      Many performance optimizations are performed to minimize network traffic, e.g. Entrust maintains multiple small CRLs and each certificate contains a pointer to the location of its CRL; Entrust clients also cache CRLs.   iPlanet can optimize performance by multiple methods, including the number of processes the server spawns, the minimum and maximum number of threads the server uses, the listen-queue size, and DNS usage.   The two main third-party components can both be optimized for performance: the Netscape Directory Server and the Entrust Certificate Authority.  
 

    Monitoring and Reporting  
    System administrative features and functionality supporting transaction reviews.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
88 out of 140
Total Score:
1505 out of 2325
  Group Score:
64 out of 140
Total Score:
1264 out of 2325
  Group Score:
52 out of 140
Total Score:
967 out of 2325
 
    Audit Trails and Logs  
    Weight: 5   Weighted Score:
64


  Weighted Score:
48


  Weighted Score:
32


 
      The Entrust/RA audit log viewer can be sorted by column and can be output to a file for post-processing. Audit events can also be sent to the NT Event Viewer for viewing.   The administration server can be set up to keep its own access logs and log of configuration changes. The certificate server activity is logged. Some basic tools are provided to examine the logs (e.g. searching for a word). Logs can be set to record only certain types of messages, e.g. only security-related events. No special audit tool is provided, but the certificate database can be searched with simple queries (name, date, serial number, etc.).   The parent third party products (certificate authority and directory) each keep their log files. The logs are kept as ASCII files and can be viewed with a text editor. Entrust logs are also digitally signed and stored in the Entrust database for audits. The Checkpoint Account manager can display Entrust logs.  
    Automatic Reporting  
    Weight: 3   Weighted Score:
12


  Weighted Score:
0


  Weighted Score:
8


 
      The Entrust/Authority can be configured to generate automatic reports. Reports can be saved as text files and consist of entries separated by tabulations. This is well suited to post-process reports with a spread sheet.   No reporting functionality is provided by iPlanet at this time.   The CheckPoint Account Manager does not provide a report utility. Simple user reports can be generated with the Entrust/Admin tool.  
    Customized Reports  
    Weight: 3   Weighted Score:
0


  Weighted Score:
8


  Weighted Score:
0


 
      Entrust does not provide customized reports, though support for third party ODBC reporting tools is provided.   Administrators can specify ranges, dates, etc. to restrict the scope of the reports generated by the log analyzer.   Check Point does not provide customized reports.  
    Remote Monitoring and Alerts  
    Weight: 3   Weighted Score:
12


  Weighted Score:
8


  Weighted Score:
12


 
      The administration access logs can be accessed remotely with the Entrust/Admin client. An alert mechanism can be setup by sending all logs to the standard output for logs (syslog for UNIX and NT Event Viewer on Windows NT), and by integrating a notification system like pagers or email, however this is not a robust solution for busy admistrators.   All the logs can, in principle, be accessed by HTTP through the administration server. (During testing only access logs could be viewed with the browser.) This provides real-time monitoring. There is no alert mechanism.   All logs can be accessed remotely from the various administration clients (web browser for Netscape Directory, Entrust/Admin client, Checkpoint Account Manager client). There is no alert mechanism.  
 

    Standards Compliance and 3rd-Party Compatibility  
    The various standards and protocols that are supported. Includes mechanisms such as APIs or direct integration to connect to other third party applications.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
280 out of 415
Total Score:
1505 out of 2325
  Group Score:
249 out of 415
Total Score:
1264 out of 2325
  Group Score:
176 out of 415
Total Score:
967 out of 2325
 
    API Standards Supported  
    Weight: 1   Weighted Score:
3


  Weighted Score:
3


  Weighted Score:
3


 
      Entrust supports PKCS#11 (CRYPTOKI) and PKCS#12, along with GSS-API.   PKCS#11 and PKCS#12.   PKCS#11 (CRYPTOKI) hardware cryptographic interface supporting hardware tokens from any vendor.  
    Certificate and CRL Standards Supported  
    Weight: 5   Weighted Score:
48


  Weighted Score:
32


  Weighted Score:
48


 
      Extent's public key certificates are in accordance with X.509, including X.509 v3 extensions. Extent provides support for X.509 v1 certificates per Internet RFC 1422 (PEM). Certificate revocation lists, including v2 extensions. RSA algorithm identifiers and public key formats in accordance with Internet RFC 1422 and 1423 (PEM), and PKCS#1.   iPlanet's public key certificates are in accordance with ITU-T recommendations X.509 v1 and X.509 v3 extensions. No standard is specified for the Certificate Revocation Lists.   Check Point's public key certificates are in accordance with ITU-T recommendations X.509v3. Certificate revocation lists are in accordance with IUT-T recommendation X.509 (1997).  
    Client Management Protocol Supported  
    Weight: 1   Weighted Score:
2


  Weighted Score:
3


  Weighted Score:
3


 
      Entrust supports PKIX-CMP.   iPlanet supports Secure Socket Layer (SSL).   Check Point supports Secure Socket Layer (SSL)  
    Directory Standards Supported  
    Weight: 5   Weighted Score:
48


  Weighted Score:
48


  Weighted Score:
48


 
      Entrust supports LDAP.   iPlanet supports LDAP.   Check Point supports LDAP.  
    Encryption Algorithms Supported  
    Weight: 5   Weighted Score:
48


  Weighted Score:
48


  Weighted Score:
32


 
      Symmetric algorithms: CAST, DES , Triple-DES, RC2

Hashes: MD5, SHA, RIPEMD

Public-key algorithms: RSA, DSA , Diffie-Hellman, Elliptic Curve (ECC).

  Encryption algorithms include: RC4, RC2, DES, TripleDES, FIPS DES and FIPS Triple DES with MD5 or SHA hashes.   Symmetric algorithms: CAST, DES , Triple-DES, RC2

Public-key algorithms: RSA

 
    Encryption Applications Enabled  
    Weight: 5   Weighted Score:
64


  Weighted Score:
48


  Weighted Score:
16


 
      Entrust includes Web (SSL, Object Signing), Email (S/MIME), VPN, SET, and other enterprise applications (file/folder encryption, desktop authentication, remote access, e-forms).   Secure web transactions over SSL 2.0 and SSL 3.0. Secure email. File encryption. Object signing. Form signing.   Encryption applications include Firewall and VPN (both gateways and clients.)  
    Private Key Storage and Management Standards Supported  
    Weight: 1   Weighted Score:
3


  Weighted Score:
3


  Weighted Score:
2


 
      Entrust supports private key storage based on PKCS#5 and PKCS#8. RSA key transfer (Internet RFC 1421 and 1423).   PCKS#12 format is supported by iPlanet.   Check Point supports private key storage based on PKCS#5 and PKCS#8.  
    Secure Messaging Standards Supported  
    Weight: 4   Weighted Score:
32


  Weighted Score:
24


  Weighted Score:
0


 
      Entrust supports S/MIME and PEM   S/MIME   Check Point does not support any secure messaging standards.  
    Integration with Other Products  
    Weight: 4   Weighted Score:
32


  Weighted Score:
40


  Weighted Score:
24


 
      Entrust PKI is an entire suite of well-integrated products. Entrust/RA has the ability to inter-operate with other Entrust CAs or with other vendor's CA products via PKCS#7 and #10. Entrust/Express provides S/MIME email to MS Exchange and MS Outlook. Entrust PKI is compatible with other LDAP directories. Entrust has PKI connectors for SET, VPN and web applications. Cross-certification can be done via PKIX-CMP for inter-vendor interoperability.   iPlanet supports integration with most Netscape products, third party VPN and routing products, token vendors, certificate vendors and directory and database products.   The Certificate Manager integrates well with the Entrust Certificate Authority and Netscape Directory server. Other LDAP directories can be substituted. CheckPoint Firewall-1 and other VPN-1 products are compatible with the Certificate Manager.  
 

    Key Generation and Issuance of Certificates  
    The procedures and options for creating new keys and issuing them to the correct user.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
284 out of 405
Total Score:
1505 out of 2325
  Group Score:
242 out of 405
Total Score:
1264 out of 2325
  Group Score:
176 out of 405
Total Score:
967 out of 2325
 
    CA Certificate Signing  
    Weight: 4   Weighted Score:
32


  Weighted Score:
32


  Weighted Score:
16


 
      Entrust has the ability to cross-certify with other Entrust CAs or with other vendor's CA products via PKCS#7 and #10. Also self-signs root CA.   The root CA self signs its certificate. Subordinate certificates are signed by their master CA in the hierarchy. Users can also chain Certificate Management System under a public CA through chaining services from CyberTrust, Verisign.   The root CA self signs its certificate.  
    Certificate Options  
    Weight: 5   Weighted Score:
64


  Weighted Score:
48


  Weighted Score:
16


 
      When customers define policies and register the associated OIDs with one of the international standards bodies, the OIDs can be entered into the certificates. Alternate identities can also be entered in the certificates. There are 4 certificate categories: Enterprise, cross-certificates, SET and Web. SET and Web licenses need to be purchased separately. Certificate properties cannot be modified. A new certificate must be issued. Only one category can be enabled at a time, making it necessary, for instance, to issue multiple certificates for users of both Enterprise and web certificates.   The administrator can set the following restrictions on certificates: Certify only PKCS-1 RSA public keys. Put constraints on distinguished names. Set a validity period. Specify a signature algorithm. Enable/disable X.509 v3 extensions. The certificate applicant can choose among several certificate types: personal (or client), server (or site), secure email, CA.   Check Point include only one certificate type, VPN.  
    Client-Side Key Pair Generation  
    Weight: 5   Weighted Score:
48


  Weighted Score:
48


  Weighted Score:
48


 
      The client generates the signing key pair. Using a reference number and an authentication code provided by an administrator, the user can enable the client to connect to Entrust/Authority. The user thus retrieves his private encryption key and certificates for both public keys, all of which are added to the profile.   The Client generates a key pair when you submit an HTML form that contains the KEYGEN tag. In the certificate server user interface, the form for requesting a certificate contains the KEYGEN tag.   The signing key pair may be generated by the firewall SecuRemote client. Using a reference number and an authentication code provided by an administrator, the user can enable the SecuRemote client to connect to Entrust/Alliance. Thus retrieving the encryption private key and certificates for both public keys, which are all added to the profile.  
    Cryptographic Hardware Supported  
    Weight: 1   Weighted Score:
4


  Weighted Score:
2


  Weighted Score:
0


 
      Entrust provides support for Atalla SignMaster ISP device to provide CA cryptographic hardware services to Entrust/Authority. Also support Chrysalis' LunaCA.   Any PKCS# 11 compliant harfware token is supported.   Check Point provides no support for cryptographic hardware.  
    Key Size  
    Weight: 4   Weighted Score:
24


  Weighted Score:
40


  Weighted Score:
24


 
      1024, 2048 RSA/DSA and 192-bit Elliptic Curve DSA for asymmetric and 64 to 128 and Triple DES for symmetric keys.   iPlanet allows custom key sizes, along with 1024 and 2048 for asymmetric keys and 64,80,128 lengths for symmetric keys.   Check Point provides 1024, 2048 for asymmetric and 64 to 128 for symmetric keys.  
    Public Key Registration Process  
    Weight: 5   Weighted Score:
64


  Weighted Score:
48


  Weighted Score:
48


 
      The registration is initiated by an administrator who must add the user to the Entrust/Authority database and generate a reference number and authorization code. The user must then add this reference number and authorization code to the request for a certificate. The certificate is automatically imported into the web browser. Administrators can bulk add users. Entrust/AutoRA product also allows for user self-service registration over the web. This eliminates the need to distribute a reference number and authorization code to the user.   Once a key pair is generated by the client, the public key is automatically submitted to the CA or the CMS for certification. The certificate is returned by email. Its installation in the client is automatic. Policy statements of the CA can be attached.   The registration is initiated by an administrator who must add the user to the Entrust/Authority database and generate a reference number and authorization code. The user must then add this reference number and authorization code to the request for a certificate. The certificate is automatically imported into the SecuRemote client. Alternatively, the administrator can generate a profile with all the keys on the server directly and give his profile to the user (e.g. on a diskette or hardware token.)  
    Server-Side Key Pair Generation  
    Weight: 4   Weighted Score:
24


  Weighted Score:
16


  Weighted Score:
24


 
      Encryption key pairs are always generated by the server. It is also possible to generate the signing key pair on the server and create a user profile containing all necessary information. This profile is then used by Entrust-Ready applications.   All enterprise servers ship with key-generation programs that the user can use to generate key pairs for the server. CA key change is tedious because it requires removing all copies of certificates issued with or containing the former key.   Encryption key pairs are always generated by the server. It is also possible to generate the signing key pair on the server and create a user profile containing all necessary information. This profile is then used by the Entrust ready SecuRemote client.  
    Time Stamping Method  
    Weight: 4   Weighted Score:
24


  Weighted Score:
8


  Weighted Score:
0


 
      With Entrust, it is possible to use a central server (Entrust/Time stamp) that imprints time stamps on data files to support non-repudiation, otherwise uses computer clock.   iPlanet uses the computer clock for time stamping.   Check Point uses the computer clock for time stamping.  
 

    Key Management and Data Recovery  
    Management of keys including certificate revocation and reallocation.  
    Factor: Standard  
    Product Name Entrust PKI
5.0
iPlanet Certificate Management System
4.1
VPN-1 Certificate Manager
1.0
 
    Manufacturer Entrust Technologies, Inc. Sun-Netscape Alliance Check Point Software Technologies, Ltd.  
      Group Score:
250 out of 410
Total Score:
1505 out of 2325
  Group Score:
194 out of 410
Total Score:
1264 out of 2325
  Group Score:
168 out of 410
Total Score:
967 out of 2325
 
    Certificate Import/Export  
    Weight: 4   Weighted Score:
24


  Weighted Score:
24


  Weighted Score:
0


 
      Entrust can import and export certificates as ASCII files. A cut and paste method is available to install certificates in servers. Additionally, servers that are Entrust-Ready can import certificates and keys automatically.   iPlanet can import and export certificates as ASCII files. A cut and paste method is available to install certificates in servers (including the Certificate Server).   Check Point does not provide support for certificate import or export.  
    Certificate Revocation Lists and Revocation Checking  
    Weight: 5   Weighted Score:
64


  Weighted Score:
48


  Weighted Score:
48


 
      Each certificate issued contains a pointer to its corresponding CRL. Entrust clients and Entrust enabled applications regularly check the CRLs. Administrators can push a CRL to the clients to enforce, almost instantly, the revocation of a certificate. CRLs contain less than 750 certificates. Users working off-line get warned if a CRL has expired. Authority Revocation Lists (ARLs) are also used similarly in cross-certified systems.   Certificate revocation lists (CRLs) are published by the certificate server and available to download from the client. Users can revoke their own certificates.   Certificate revocation lists (CRLs) are published to the directory by Entrust/Alliance. Administrators can force the immediate publication of a CRL.  
    Data Recovery  
    Weight: 5   Weighted Score:
48


  Weighted Score:
48


  Weighted Score:
48


 
      Master users can recover Security Officers from lost passwords. Administrators can recover users from lost encryption keys, since the encryption keys are stored on the server. The signing keys however are stored only on the client and cannot be recovered. The signing keys are re-issued as part of the user profile recovery procedure. It is important to note that the user's entire key history is recovered, not only the current keypair.   iPlanet provides data recovery through backups only.   Master users can recover Security Officers from lost passwords. Administrators can recover users from lost encryption keys (or passwords), since the encryption keys are stored on the server. The signing keys however are stored only on the client and cannot be recovered. They are re-issued as part of the user profile recovery procedure.  
    Directory Integration  
    Weight: 5   Weighted Score:
64


  Weighted Score:
48


  Weighted Score:
48


 
      Entrust provides very good integration. The PeerLogic i500 Directory is part of the core package and can be installed on the same server as the Entrust/Authority, allowing for simultaneous automatic backups. The Entrust/Authority and the PeerLogic i500 Directory are automatically synchronized. Can use other LDAP directories.   Synchronization possible with the Directory server (included in the package). Can use other LDAP directories.   Good integration of the product with the Netscape Directory server. The directory is synchronized with the Entrust/Alliance Certificate Authority. Backups/restoration of the database and the directory can, in principle, be synchronized, but it is left up to the administrator to write the scripts.  
    Key Loss or Exposure Reporting  
    Weight: 5   Weighted Score:
16


  Weighted Score:
0


  Weighted Score:
0


 
      There is nothing provided for reporting by users, but administrators can cancel keys, and audit logs will show and track the information.   iPlanet does not provide key loss or exposure reporting.   Check Point does not provide key loss or exposure reporting.  
    Method of Key Storage  
    Weight: 3   Weighted Score:
12


  Weighted Score:
8


  Weighted Score:
12


 
      The server keys used for administration are stored in the Entrust/Authority database. The user's decryption private key is stored in the user's profile on the client computer and backed up in the Entrust/Authority database. The user's signing private key is stored in the user's profile only. The user's encryption public key and verification public key are embedded in certificates. The encryption certificate is stored in the user's profile, in the Directory and the Entrust/Authority database. The verification certificate is stored in the user's profile and the Entrust/Authority database. User profile can be saved on hard drive, diskette, or smart card.   The CA signing key pair and the server SSL key pair are stored in files on the server hard disk. They are password protected. Backup storage is left to the administrator. The certificates issued (including the public keys) are stored on the server hard disk in the Informix database. Backing up the Informix database is not documented, the private keys issued by the clients remain on the computer where they were generated. They can be exported to files that can be backed up e.g. on a diskette. They are stored in a database, which is password protected. The private keys themselves are assigned a password only if they are exported.   The server keys used for administration are stored in the Entrust/Manager database. The user's decryption private key is stored in the user's profile on the client computer and backed up in the Entrust/Manager database. The user's signing private key is stored in the user's profile only. The user's profile can be saved to a diskette. The user's encryption public key and verification public key are embedded in certificates. The encryption certificate is stored in the user's profile, in the Directory and the Entrust/Manager database. The verification certificate is store in the user's profile and the Entrust/Manager database.  
    Private Keys Stored on Server  
    Weight: 2   Weighted Score:
6


  Weighted Score:
6


  Weighted Score:
8


 
      The encryption key pair history for all users, which includes all decryption private keys and all encryption public key certificates, is stored in the Entrust/Manager database. Private signing keys are not backed up on the server.   iPlanet provides server stored keys.   The encryption key pair history for all users, which includes all decryption private keys and all encryption public key certificates, is stored in the Entrust/Manager database. Private signing keys are not backed up on the server.  
    Renewal of Keys and Certificates  
    Weight: 3   Weighted Score:
16


  Weighted Score:
12


  Weighted Score:
4


 
      The Entrust PKI supports automatic key updates. Entrust/Entelligence and Entrust/Authority manage the key update protocol, which is transparent to the user.   Certificate Management System enables browser based certificate renewal via https:// with certificate based authentication, as a way to renew user certificates across browsers. Certificate Management System also allows for the CA, RA, and DRM certificates to be renewed within Certificate Management System, along with renewal / reissuance of router, VPN, and server certificates.   Renewal of keys or certificates is not yet supported, but user is notified 1 month prior to certificate expiration.  
 

  2000 Intraware, Inc.