SIBS Multicert Logo

PKI Characteristics

Technical and security characteristics of PKI solutions

Certification Authority

 

  • Issuance of X.509 and CVC certificates
  • Issuing CRLs and Delta CRLs
  • CA Cryptographic Keys on PKCS#11 Compliant HSMs
  • Administration web interface
  • Two-factor access control
  • Configurable user profiles (operators, administrators, auditors, etc.)
  • Audit logs
  • Compliance with RFC 5280, CWA 14167
  • Common Criteria EAL4+ CMIC Certification
  • Robust: Clustering, Backup, Disaster Recovery
  • Multilingual
  • Complete documentation package including CPS, CP, PDS, policies, manuals, diagrams, procedures, forms, and inventory

 

Timestamping Authority

 

  • Compliance with RFC 3161
  • Support for multiple timestamping units (TSU)
  • CA Cryptographic Keys on PKCS#11 Compliant HSMs
  • Administration web interface
  • Management of contracts and timestamp packages for wholesale and retail offer
  • Two-factor access control for internal users
  • Configurable user profiles (operators, administrators, auditors, etc.)
  • Audit logs
  • Built on Common Criteria EAL4+ certified security core
  • Assessed and approved by the National Security Office
  • Capable of internationalization (i18n): multilingual, writing sense, formatting, character encoding
  • Robust: Clustering (active-active), Backup, Disaster Recovery

 

OCSP - Online Certificate Status Protocol

 

  • Compliance with RFC 6960
  • Support for multiple CAs and OCSP responders
  • Cryptographic keys on PKCS#11 compliant HSMs
  • Administration web interface
  • Two-factor access control for internal users
  • Configurable user profiles (operators, administrators, auditors, etc.)
  • Audit logs
  • Built on Common Criteria EAL4+ certified security core
  • API for integration with existing CAs
  • Real-time update of certificate status via integration API
  • Periodic update of certificate status through CRL (blacklist) and LDAP (whitelist)
  • Replacement of legacy OCSP solutions without evolutionary support for a new solution, without development and integration needs of the remaining existing PKI
  • Apt for internationalization (i18n): multilingual, spelling, formatting, character encoding
  • Robust: Clustering (active-active), Backup, Disaster Recovery

 

Key Management System

 

  • Bulk pre-generation of cryptographic keys, immediately available for certificate issuance and personalization processes
  • Keys generated in HSMs, with quality and performance parameters superior to those generated in smartcard chips
  • Dynamic key stock management
  • Secure channel from HSM to personalization via transport keys and key-encryption keys (KEK)
  • Administration web interface
  • Two-factor access control for internal users
  • Configurable user profiles (operators, administrators, auditors, among others)
  • Audit logs
  • Built on Common Criteria EAL4+ certified security core
  • Apt for internationalization (i18n): multilingual, spelling, formatting, character encoding
  • Robust: Clustering, Backup, Disaster Recovery

Data Preparation

 

  • Formatting biographical and biometric data for identification documents and electronic passports
  • Compliance with LDS v1.7 ICAO 9303
  • Support for BAC, SAC/PACE, Active Authentication, EAC
  • API for integration with lifecycle and customization systems
  • Integrated with Key Management System
  • Audit logs
  • Robust: Clustering, Backup, Disaster Recovery

 

Document Signer

 

  • Signing biographical and biometric data for identification documents and electronic passports to protect authenticity and integrity
  • ICAO 9303 compliance, producing the Secure Document (SOD) framework
  • Support for BAC, SAC/PACE, Active Authentication, EAC
  • API for integration with lifecycle and customization systems
  • Audit logs
  • Robust: Clustering, Backup, Disaster Recovery

 

Card Management System

 

  • Application for final personalization of SSCDs (smartcards, USB cryptographic tokens, secure microSD)
  • Support for PKCS#11 compliant SSCDs
  • An on-chip key generation or import via a secure channel
  • Integration with smartcard printers
  • Graphical interface for customization operators prints preview
  • PIN letter printing on customizable templates
  • Cover and follow-up letter printing on customizable templates
  • Support for multiple configurable personalization profiles
  • Installation on multiple workstations for parallel customization
  • Restricted access control for customization operators

 

National PKD

 

  • LDAP interface for providing CSCA, Document Signer, CVCA, DVCA, CRLs, and Master Lists certificates
  • Hierarchical organization according to certificate name structure
  • Application with graphical interface for service management
  • Robust: Clustering, Backup, Disaster Recovery

SPOC - Single Point of Contact

 

  • Exchange of certificates and information necessary for the validation of electronic identification documents such as the Passport, which must be made available between member countries of the European Union
  • Receipt of requests for DVCA certificates from the national PKI EAC and delivery to the destination SPOC
  • Online reception of requests from SPOCs in other countries and forwarding to those responsible for the national PKI EAC
  • Compliance with ČSN 36 9791:2009, BSI TR-03110, and BSI TR-03139
  • Protection of communications between SPOCs through digital certificates issued by SPOC CA
  • SPOC CA registration by SPOC
  • SPOC CA CRL Publication
  • Administration web interface
  • Two-factor access control for internal users
  • Configurable user profiles (operators, administrators, auditors, among others)
  • Audit logs
  • Robust: Clustering, Backup, Disaster Recovery