VeriSign Managed PKI Services

Business requirements to make suppliers, partners, and customers more efficient are driving enterprises to look into ways to securely open up their networks and applications. They are looking for new and different ways to do business to take advantage of the business communication and commerce that online channel opportunities provide. This includes business partner extranets and consumer Web applications.

In the past, authentication solutions have been costly and cumbersome to deploy and because of this, the proliferation of these solutions has been extremely limited. With VeriSign, customers can move to an easier, more ubiquitous universal authentication solution that relies on VeriSign’s Security Services to provide best-of-breed security for network and Internet resources.

VeriSign's technology leadership in strong authentication - demonstrated through our partnerships with Intel and Microsoft, and our role in setting open standards such as XKMS and WS-Security - ensures the highest ROI for your investments over time.

PKI and authentication services are delivered through VeriSign's military-grade public key infrastructure and Security Operations Centers ensuring 24x7x365 monitoring, management, and escalation across the globe.

Managed PKI Services Include:

Unified Authentication - Smart Cards

Enterprises and government agencies frequently deploy multiple authentication mechanisms to address diverse requirements within and beyond their networks and facilities. More and more they are using smart card-based credentials as they aim to increase security, address regulatory compliance pressures, and lower costs through the use of merged physical and logical access credentials. VeriSign Unified Authentication is a single, integrated platform for provisioning and management of all types of strong authentication credentials, such as digital certificates, one time password (OTP) tokens and smart cards.

VeriSign® Unified Authentication - Smart Cards is a comprehensive and easy to use suite of management tools specifically designed for smart card deployments, supporting a wide choice of smart card types, workflows, and deployment options for securing enterprises and government agencies. It includes a fully featured card management system (CMS), addressing the entire smart card credential life cycle, from card and credential issuance to replacement and cancellation, as well as managing smart badging and applets. Together with VeriSign Unified Authentication - PKI, it provides a highly integrated credential management solution.

Easy-to-Use VeriSign® Unified Authentication - Smart Cards is extremely easy to use. Users work through issues and management tasks step-by-step using unique and patented secure workflow technology. The self-service Web portal feature enables end users to perform smart card and credential management functions - such as renewal and activation - without requiring the help of an administrator.

Quick-to-Deploy Paired with VeriSign® Unified Authentication - PKI, VeriSign® Unified Authentication - Smart Cards is an out-of-the-box solution which allows for seamless integration into existing infrastructures and can be deployed in days, saving time and money.

Interoperability and Scalability VeriSign® Unified Authentication - Smart Cards supports a variety of third party technologies, providing a highly-scalable and future proof system which can grow with the organization’s ever expanding needs. It can integrate into a number of third party infrastructure components, such as smart card middleware, PKI services, physical access control software, and authentication devices.

Enhanced Flexibility and Tight Policy Control VeriSign® Unified Authentication - Smart Cards gives organizations the freedom to choose the most appropriate device and credential issuing models for their needs: bulk importing of card holder details, an easy-to-use self service portal, and a personalization bureau are all available. Access to the system can be controlled through definable roles, with an unlimited number of policies for issuing and managing credentials.

Credential Management and HSPD 12 Homeland Security Presidential Directive 12 (HSPD 12) mandates that all US Federal Government employees and contractors are to be issued with a standard and reliable form of identification. Consequently, Federal Information Processing Standard 201 (FIPS 201) was developed by the National Institute of Standards and Technology (NIST). FIPS 201 defines both the credentials to be issued and acceptable standards for the processes of registration, identity- proofing and issuance of Personal Identity Verification (PIV) cards for new and existing Government employees and contractors.

VeriSign® Unified Authentication - Smart Cards is a pre-packaged and integrated PIV and Shared Service Provider solution. By connecting the process for registration, identity-proofing, issuance and maintenance of PIV cards for physical and logical access, it aids US Federal Government Agencies and other organizations to quickly comply with the processes defined in FIPS 201. Since all system activity is logged into a security audit database with extensive reporting capabilities, organizations can easily enforce and manage rigid regulatory requirements.

Managed PKI Fast Track

The VeriSign Managed PKI Fast Track service is an entry-level service to secure enterprise applications on a small scale. Gain control over the issuance of digital certificates to internal and external users without the expense of designing, provisioning, staffing and maintaining your own PKI backbone.

Linked to VeriSign's robust, high-availability certificate processing services, the Managed PKI Fast Track service enables faster deployment and lower operating costs while providing an open standards-based platform that integrates with off-the-shelf solutions.

Features and Benefits

• Fast Time to Deploy A fully operational PKI can be up and running within a few days.
• Low Cost of Ownership Our Managed PKI Fast Track service delivers 60% lower cost of ownership when compared to in-house operations.
• Scalability VeriSign's Managed PKI Fast Track service allows you to scale smoothly from hundreds to millions of users by providing easy transition to VeriSign's Managed PKI Service. With this service model, your company pays only for the scale of PKI needed.
• Policy and Risk Management VeriSign processes meet the most exacting standards, supported by liability sharing and insurance protection. Independently evaluated and audited cryptographic materials management processes and secured records provide a solid base for swift, final dispute resolution.
• Secure, Reliable Operations VeriSign provides binding service-level agreements that include a high-security facility with specially trained, screened personnel, redundant systems, 24X7 customer support for your mission-critical PKI needs, disaster recovery, and full audit and archiving.

PKI Applications

VeriSign Managed Public Key Infrastructure (PKI) Applications and authentication services enable the enterprise to control access to information and lower total cost of ownership. VeriSign's service infrastructure provides provisioning and validation of authentication credentials, and is integrated with leading multi-factor authentication technologies, including USB tokens, smart cards, biometrics, and digital form signing.

Trusted Messaging VeriSign Trusted Messaging enables enterprise users to digitally sign and encrypt their email messages, ensuring end-to-end security for corporate email systems. This service works seamlessly with Microsoft Exchange, Microsoft Outlook, and Lotus Notes/Domino.

VeriSign® Services for WiMAX-Compliant Devices To establish the highest standard of wireless network authentication security, the WiMAX Forum™ requires that all WiMAX-compliant devices must be authenticated with X.509-standard digital certificates issued under the VeriSign managed WiMAX root Certificate Authority.

Cable Modem Services With this service, device certificates are created at VeriSign and automatically delivered to the manufacturer's site for easy embedment into devices at the time of manufacture.

Go Secure! for Web Applications Go Secure! for Web Applications lets you secure the Web interfaces to your new and existing mission-critical applications quickly and easily.

Go Secure for Microsoft Exchange Go Secure! for MS Exchange accelerates the deployment of secure email and messaging throughout your enterprise.

Digital IDs for Secure Email Installed in your Web browser or email software, a Digital ID serves as an electronic substitute for sealed envelopes and handwritten signatures and assures recipients that email really came from you.

Digital IDs for Secure Instant Messaging By digitally signing and encrypting your Instant Messages you can ensure that your confidential messages and file transfers are protected from tampering, impersonation and eavesdropping.

Device Certificate Service

The need to authenticate all hardware devices accessing networked services is increasing as businesses continually strive to prevent unintended devices from gaining access to protected networks and services.

The VeriSign® Device Certificate Service makes it fast, efficient, and cost-effective to embed X.509 certificates into any type of hardware devices such as cable modems, set-top boxes, Digital-Cable-Ready televisions, or WiMAX-compliant subscriber stations. The X.509-standard certificates embedded in the hardware devices enable service providers such as cable operators to perform strong authentication of their distributed devices used by their subscribers. The certificate-based authentication prevents any rogue device employed by unauthorized users from accessing services such as cable network based VOIP, digital media content, or broadband service.

With the VeriSign Device Certificate Service—which is completely hosted at VeriSign’s 24x7 secure data center facility—device manufacturers get a turnkey solution for generating batches of digital certificates and private keys through an easy-to-use Web interface and are therefore not required to master X.509-based certificate security technology or invest in expensive infrastructure. Device manufacturers order certificates in bulk by providing VeriSign with a list of MAC addresses or unique device IDs for the certificates. VeriSign securely returns the issued certificates encrypted to the manufacturers, who can then incorporate the process of injecting the certificates into the target devices as part of its overall device manufacturing process.

Business Authentication Service

Business Authentication Service (BAS) helps enterprises to authenticate business partners who are accessing sensitive information, or conducting high value B2B transactions on an extranet. By using the business partner registration information, BAS verifies and confirms the identity of the business partner using best of breed data providers, and confirms affiliation status of the individual who is conducting the transaction on behalf of that partner. BAS uses VeriSign PKI technology to support transaction and document signing, non-repudiation, and audit trails. BAS supports authentication of both domestic and international partners and is a cost effective and timely solution for authentication business partners worldwide.

Mortgage Industry PKI Service

Organizational and Individual Certificates VeriSign digital certificates for individuals and organizations in the mortgage industry provide authentication for secure information exchange between organizations and individuals affiliated with mortgage industry partners. When an individual connects to a secure server or business application across a network, the certificate authenticates that the user is who they say they are and provides access to the applications they are authorized to use. Confidential data is encrypted for secure transmittal.

VeriSign Mortgage Industry certificates are accredited by SISAC, Inc, and issued according to the VeriSign Trust Network Supplemental Certificate Policy and Certification Practice Statement for the Mortgage Industry PKI service. SISAC requires subscribers to use key sizes of at least 1024 bits. VeriSign will contact individual subscribers at the organization listed in enrollment to confirm their affiliation.

Key Management Services

VeriSign's Key Management Services provide the industry's most secure key management and recovery solution for enterprises deploying public key infrastructure (PKI) to secure a broad array of network applications. Key Management Services use state-of-the-art technology to provide enterprises with a complete key management solution. This solution includes centralized key generation, distribution and backup capabilities, archiving of key histories, and dual key pair support, coupled with a two-step recovery process which provides far greater security than in-house software alone.

Features and Benefits

• Dual Key Support Key Management Services supports dual keys by providing central generation and back up of encryption keys along with distributed generation of signing keys. Key Management Services is the industry's leading solution for non-repudiation because it combines this support for dual key pairs with strong security, audit and archive functions. Dual key pair support is critical for applications that utilize both encryption and digital signatures. An end user needs one key pair for encryption and another for digital signing so that the encryption key pair can be backed up without compromising the integrity of the user's digital signatures.
• High Security Key Recovery Unlike other alternatives, VeriSign's Key Management Services offers a unique approach to key management that provides the highest security available. It combines local software and backup of the key pairs with a key recovery service located at VeriSign. Private keys are stored at your enterprise in a secure, encrypted form that provides strong protection without requiring you to build a high security facility. Recovery of a key pair occurs by retrieving from VeriSign a unique key that can unlock the backed-up version of that specific key, but without your end user encryption keys ever leaving your premises. This removes any single point of compromise from the system, since even if someone has a complete copy of the database of backed-up keys, they will not be authorized to get the recovery keys from VeriSign. Authorization is needed to access the database.
• Centralized Key Management Key Management Services’ centralized key-generation functions allow an enterprise administrator to set up an end user's security and in so doing, simplify the process for users. The administrator can easily and quickly generate encryption key pairs, trigger a client application to generate a signing key pair, coordinate certificate acquisition for both key pairs and distribute the keys and certificates to the end user, without the end user having to register and request a certificate. Enterprises deploying PKI primarily for authentication, access control or non-repudiation without encryption may not need dual key support and key recovery, but they can still benefit from Key Management Services’ centralized management capability. Key Management Services significantly reduces end user support burdens and PKI deployment time. With Key Management Services, Managed PKI provides the broadest range of registration and distribution options available.

Key Management Services is part of the VeriSign Managed PKI product line. It works with Microsoft IE, Outlook XP, 2000, and 98, IBM Lotus Notes R5, and Netscape Communicator as well as with applications enabled with VeriSign-compatible toolkits. Key Management Services does not require proprietary client software and allows you to build and operate a best-of-breed enterprise security solution.

ECA Certificates

VeriSign ECA digital certificates are designed to enable secure transactions with U.S. government agencies. The Department of Defense (DOD) and many Federal, state and local agencies require the use of External Certification Authority (ECA) digital certificates to access Web sites and applications, digitally sign documents, and encrypt e-mail communications. ECA digital certificates are delivered by VeriSign’s intelligent infrastructure services recognized worldwide for reliability, scalability, and security.

NOTE: To comply with new regulations, as of December 17, 2007, proof of citizenship will be required prior to obtaining a certificate from the VeriSign ECA. Two forms of identification will be required, with at least one being a government issued photo ID. For renewals, all users will need to have validated citizenship information in-place to use auto-enrollment.

VeriSign ECA certificates are sold as a set including both an ECA Identity certificate and an ECA Encryption certificate. A bundled key escrow service protects and enables the recovery of private encryption keys. Key recovery is available for an additional fee.

Thawte Starter-PKI

thawte’s Starter-PKI (SPKI) Program enables businesses that require multiple certificates for their organization to acquire and manage these certificates in a manner that saves them considerable time, effort and money.

The Starter-PKI (SPKI) Program enables businesses that require multiple digital certificates to acquire these certificates in a manner that saves them considerable time, effort and money.

What does this mean?
It means that through thawte's Starter-PKI (SPKI) Program, you can be empowered to issue multiple SSL and Code Signing certificates for your organization, without the red tape normally associated with acquiring new certificates.

Is this appropriate for your business?
Well, quite simply, if you require more than three digital certificates per year, the SPKI Program will be beneficial to you.

Why is the Program beneficial?
It's about convenience. In addition to considerable savings, the SPKI Program allows you to take full control of all certification requirements in your organization. By undergoing a special vetting process upfront, you avoid the paperwork normally required for each new digital certificate. thawte's trusted root keys still sign your certificates, but they are authorized and approved by your own security personnel.

Types of certificates you can issue and manage using the thawte SPKI Program:

SGC SuperCerts:
Premium SSL certificates with automatic step up encryption.
Web server certificates that use special ‘step-up' technology to ensure that all communication is transmitted at 128-bit strong encryption.

SSL Web Server certificates:
Secure internet communication for data privacy.
Standard SSL digital certificates installed to assure your customers that they are not exposed to the risks of sending data over the Internet. These certificates are domain name specific.

Code Signing certificates
(Microsoft Authenticode, Microsoft VBA Macro Signing, Netscape Code Signing, Marimba, Apple File Signing, Java Soft):
Secure delivery of code and content to browsers.
Used to guarantee the publisher details and content integrity of downloadable code that you distribute.

What about thawte's trusted authentication and verification procedures?
These are not compromised in any way. thawte prides itself in being a truly trusted Certification Authority. The SPKI Program is based on pre-validation. Your account details and all the information you want your certificates to contain are checked upfront. If your certificate requests do not match the information in your account, they will be rejected automatically.

A Program that works for you
On joining the Program you will be allocated a dedicated account manager, who will be on hand to assist you with any issues that may arise. Full support is also offered through our team of highly experienced engineers on standby 24 hours a day, 5 days a week.

Some other features of the SPKI Program:

Cost effectiveness
By joining the SPKI Program you have the opportunity of receiving substantial reductions (starting at 25%) off the retail price of digital certificates.

Full control:
A user–friendly administration interface gives you complete control over requesting, editing, approving and terminating certificate requests.

Quick turnaround times:
You can expect to have a certificate issued within 30 minutes of a request (once your account has been approved) If your company has multiple domain or host names to secure, thawte's SPKI Program is the ideal solution to enable your digital padlocking without spending a fortune, and without compromising on authentication.

PKI – What is this?
Public Key Infrastructure (PKI) is the entire system that supports the implementation and operation of a certificate-based public key cryptographic system.

benefits
In addition to gaining full control over your certificate management process and enjoying discounted prices, you will gain the following benefits when enrolling for the SPKI Program:

• All certificates and renewals are covered by a single account enrollment
• Accounts are re-authorized every 2 years for security purposes
• Total control over requesting, editing, approving and terminating of certificate requests
• A 30 minute turnaround for certificates (once the account has been set up)
• Elimination of repetitive paperwork
• A dedicated Account Manager
• The expertise of thawte's technical support team, twenty-four hours a day, five days a week.
• A user-friendly user administration system to manage your account

Additional new benefit
A major software vendor has released a beta version of their browser that will have automatic certificate revocation checking as a default option.

This new checking protocol will maximise the speed of checking the status of thawte certificates and will minimise the possibilities of online fraud as invalid certificates and companies will immediately be exposed to the end customer.

thawte has invested in a significant infrastructure to move from using the old Certificate Revocation List (CRL) to this new Online Certificate Status Protocol ( OCSP ), something not all CAs will be able to provide and support.

And… the all-important thawte firm handshake of trust
The benefit of thawte's authenticated and trusted digital signature on all your certificates cannot be over stated.

thawte is one of the original pioneers of the digital certificate industry. When we started signing digital certificates back in 1996, we realised that the essence of online security would come down to trust , and that only fully trusted Certification Authorities would survive the long term. This is the reputation that we have cultivated over the years… a fully trusted Certification Authority.

Low cost, high credibility
Having had the benefit of being a first-mover and industry leader, thawte has developed a highly efficient infrastructure that allows us to fully authenticate certificates without transferring the extra costs normally associated with this comprehensive process to the cost of the certificates themselves.

A fully authenticated thawte certificate will always guarantee that:

• the organization named in the certificate has the right to use the domain name included in the certificate
• is a legal entity ; AND
• that the individual who requested the SSL certificate on behalf of the organization was authorized to do so.

Hence, we have been able to keep the cost of our certificates competitive, without compromising on the all-important trust factor.

The process of joining the SPKI Program:

1. Acceptance into the program is based on pre-approval. You enroll online for the thawte SPKI Program by submitting all your company documents and details to us for a vetting process. These details and all the information you want your certificates to contain are checked up-front.
2. Once we have validated all your details using the highly trusted thawte authentication and verification process, your account is approved and you will be able to issue certificates to all the domains validated in your account without any further interaction with thawte.
3. You administer your account from your desktop with a standard web browser. Along with being able to manage SSL Web Server certificates, Code Signing certificates and SGC SuperCerts, you will be able to add funds and security personnel into your account. Through this interface, you can also manage your organizational structure by adding departments and new companies as the need arises, while also requesting approval for new domains.
4. Allocated Security personnel will be able to submit a certificate request. Your appointed security officer within your organization will be notified of the pending request, and will be able to issue the certificate, reject the request, or edit it to conform to your pre-approved details.

who should join?
thawte's SPKI Program is highly recommended for any company requiring more than three digital certificates per year.

How to know if you will need more than 3 certificates per year

SSL Web Server certificates and SGC SuperCerts
If you want to assure customers that they are not exposed to the risks of sending data over the Internet you will need an SSL Web Server certificate or an SGC SuperCert. If you have more than one domain to secure in this manner, then you should have more than one SSL Web Server certificate or SGC SuperCert.

Code Signing certificates
Secure delivery of code and content to browsers. You require a Code Signing certificate if you need to guarantee the publisher details and content integrity of downloadable code that you distribute. You may require more than one Code Signing certificate if you distribute a number of different applications that use a variety of platforms.

What can the SPKI program do for you?
The SPKI Program (SPKI) empowers you to issue multiple SSL and Code Signing certificates within your organization, by means of self-service.

What is pre-approval?
Pre-approval is a crucial element of the program. For all certificate types that are included in the program, pre-validated templates are created against which individual certificate requests are matched. The system will only allow you to approve certificates that match these templates. Within that range, however, you are free to approve certificates containing whatever information you wish (e.g. host names, org units).

What is included in the program?
The program covers thawte SSL Web Server certificates, SGC SuperCerts and Code Signing certificates. It handles certificate approval, revocation and renewal. The program also keeps records of all your ongoing certificate information and financial tracking for reporting and accounting purposes.

Additional features include:
• 3 granular levels of security settings for personnel
• Easy editing of user profiles
• Add extra domains to your organisational profile at no extra cost