VillageMall is the world leader in Application Service provider Security, in particular Public Key based security. Don't believe us ? compare our standards with anyone, world wide.
This page provides you with information that you can use to compare a worlds best practice against other companies offerings. On any comparisons we at VillageMall believe you will agree that we provide simple the best solution to protect your company information.
What to look for?
Certification Authorities
Certification Authority key sizes: VillageMall believes that a minimum of 2048bits is needed. This provides the best compromise between security and performance. VillageMall example.
Certification
Authority key protection: This simply must be in hardware, a minimum of FIPS
140-1 level 2 is required. Why FIPS 140-1? Its simply the best available today.
ITSEC and Common Criteria without an associated protection
profile is simply not good enough, it does not matter what the level of
evaluation is. The best practice evaluations are performed within the UK or USA,
as these countries have specific support for business rather than
government-only evaluations.
Certificate policy: VillageMall believe that it is essential that all Certification Authorities make a statement and assert within their Certification Authority certificate what policies that the certificates are being issued under. If there is no registered Certificate Policy available, do not use or rely on the security service. VillageMall example.
Certification Practice Statement: This tells you what practice and procedures that Certification Authority follows. VillageMall example.
CA Certificate Validity Period: No reason why these should be less than 10 years. VillageMall example.
Subscriber Agreements: A Certification Authority must tell you what is your responsibility.
Relying Party Agreements: A certification Authority must tell each subscriber what can be relied upon within a certificate issued by the Certification Authority
Certificate Revocation Lists (CRL): VillageMall believe that all Certification Authorities must make available their CRL's in a manner that can be used by commercially available software. VillageMall publishes its CRL's via the web allowing real-time access to all VillageMall systems and clients. You should also check that the Certification Authority that issued your Digital ID is also responsible for issuing the CRL. If a CA does not publish a CRL, do not use or rely on the associated security service.
Subscribers
Key Generation: VillageMall believes that all keys must be generated under the control of the subscriber, preferably on a FIPS 140-1 level 2 hardware token. In all cases the certification Authority must not have access to any subscribers private key material. In particular be careful of Certification Authorities that supply keys to you on insecure means such as floppy discs.
Key Size: VillageMall believes that all Subscriber keys must be a minimum of 1024bits. In particular be careful of Certification Authorities that supply 512bit keys to you.
Key Archive: Like key generation a Certification Authority must not keep a copy of any of your Private keys. You will see statements that only key encryption keys are being archived/escrowed/recovered; do not allow any of your private keys out of your control.
Hardware Tokens: VillageMall believes protecting
your private keys are the basis of Public Key security services. All Subscribers must have a secure hardware
token, to use VillageMall premium services. If a Certification Authority issues certificates
to software tokens, then they should have a separate certificate policy that
clearly identifies what means is being used to protect the subscribers private
key, VillageMall supports two certificate policies to manage this
requirement.
There is a wide range of security hardware available that varies from virtually
useless to providing appropriate risks reduction. VillageMall has selected
worlds best practice hardware for use with VillageMall applications.
Certificate Validity Period: No reason why these should be less than 5 years for hardware tokens and two years for software tokens.
Web Sites
Server Key Size: All Website keys must be a minimum of 1024bits.
Server Key Protection: Web Server keys should be protected by hardware.
Certificate Validity Period: No reason why these should be less than 5 years. Ask anyone that has shorter periods why?
SSL Encryption Support: Minimum of 128bits.
We understand that security is a journey, not an end point, the information provided here is the best available
VillageMall the only site secure enough for Your business Applications.
