DRAFT

PKI Requirements and Desirable Features

Requirements:

• Scalable CMS management for 300,000+ active certificates
• Flexible and distributed registration interface allowing for local authentication, issuance, renewal, revocation
• Batch certification revocation ability
• Real time updating of CRL's
• Automated client certificate issuance capability (built-in and configurable/scriptable)
• Ability to access authentication and certificate payload data from UC system based on SQL,LDAP (Service)
• Robust public key directory with LDAP support including replication services
• Facility for certificate renewal
• UNIX port of software (CMS software package only)
• Plan for achieving 24-7 operation of CMS
• Plan for disaster recovery
• Compatibility with popular software packages on Win95/WinNT/MacOS, including:
  Netscape Navigator
  Internet Explorer
  Eudora Pro Email
  Outlook/Outlook Express Mail & Address Books
• Minimum client software
• Compatibility with popular secure web server packages, including
  Netscape Suitespot
  Microsoft IIS
  Stronghold (Secure Apache)
• Configurable certificate payload, including v3 extensions
• Support for CA hierarchy trust model
• Robust public key directory with LDAP support
• Robust, scalable servers - replication, load-sharing, etc.

Desirable:

• Interoperability with smartcard/token technology
• Support for PKCS #11 for local backup of certificates/key pairs
• Certificate rollover capability extremely desirable
• Software support for separate encryption and signing key pairs
• Encryption key pair escrow capability
• Capability to securely download (certificate,private key) pairs from a repository into a workstation