June 29th, 2005, 04:48 AM
Questions to ask PKI vendors
Probably some of you will find this boring. But I really think this is reallt good and useful. We are in the middle of trying to decide what to do with our PKI.
Stolen from TechRepublic. They sometimes have some good stuff.
How will the certification and authentication process affect our workflow?1
Can I see a flowchart or diagram explaining the authentication and registration process?
Who are some of your current and previous customers?1
What steps have you taken to guarantee 24/7 access for authentication and registration?1
What is the total cost of implementing your PKI solution?
How does the cost break down?
What support will you give my company, and how much will it cost?2
Can you explain how the registration authority interface works?3
Is the registration authority operation separable from the certificate authority?
Are bulk registration operations supported?3
Did you license or develop the cryptography technology?3
Can your certificate authority accept an externally supplied signing certificate? (Gartner recommends that the certificate authority use x.509 v.3-compliant certificates, the current standard. Only one company–PGP–does not use this.) 3
Does the certificate authority back up private keys for escrow and recovery? 3
Can certificates be archived? 3
Does the certificate authority use non-rewriteable media to ensure archive and audit integrity? 3
What additional services are offered? (According to Gartner, notary services, time stamping, and key histories will come into play during auditing of electronic signatures.) 3