Strengths: Comprehensive e-commerce supporting capabilities.
Weaknesses: Implementation will not be a trivial matter in many cases.
Verdict: A serious tool for those wishing to secure e-commerce, B2B and similar applications.
SafeSign is a subtly different kind of product to the others in this test. It will appeal to those wanting to create a key and certificate infrastructure for identity enablement on critical applications, such as those in the e-commerce or business to business arenas, where secure transactions are crucial.
We tested the SafeSign Authentication Server, part of the SafeSign identity management suite. The authentication server is a Java-based platform, so users will require Java development components deployed on development and production machines.
There is a useful installation and configuration guide in PDF format, although a good working knowledge of the security concepts and technologies involved would help.
The services available can be administered via a management console and an integral token management console, the presentation of which is workmanlike and intuitive. Command line administration is also possible.
The verification service supports PKCS#7 messages, XML digital signatures, IBM CBT signatures, certificates and PDF files. There are signature creation and random number services and PSM/Watchword MAC (Message Authentication Code) and challenge/ response services using Thales PSM or Watchword 3 MAC messages, as well as a generic MAC verification service. Event and error logs are generated and, as an additional security measure, these log entries are supplemented with a sequence number and MAC in order to make any tampering conspicuous.
As the SafeSign Authentication Server is a serious, industrial-strength product for use within transactional-based applications where security is paramount, it is not exactly a “plug and play” application for the average admin to deploy in a few hours.
Similarly, it is not really simply an SSO or user-authentication system in the tradition sense, although it does use certificates and tokens to support the identification of the source and validity of messages and transactions. It will, however, appeal strongly to those involved in designing and setting up secure payment or business-to-business systems.
In conclusion, the SafeSign Authentication Server is a flexible and capable enabling foundation around which to build secure e-commerce or B2B applications.