| Can the solution process PDF, XML, S/MIME and other PKCS#7 and CMS signed documents? | YES | Often limited to one or two formats |
| Can the solution handle basic signatures, timestamped signatures, long-term signatures, PDF certified signatures? | YES | Usually a limited ability to cover this |
| Can the solution handle ETSI XAdES, CAdES and PAdES signed documents with support for multiple extended signature formats? | YES | Often a limited capability |
| Does the solution allow the organisation to easily define the trust anchors (Root CAs and Issuer CAs) that are trusted? | YES | Often limited to Windows trust lists |
| Can the solution verify multiple signatures in a single call and return information on each of the signers? | YES | Detailed information is rarely returned |
| Does the solution support OASIS DSS protocol and DSS-X Verification Reports with the ability to offload application from complex coding? | YES | A limited capability at best |
| Can the solution check both current and historic signatures and after a grace period, using a specified time in the past? | YES | Historic signatures are rarely handled |
| Can basic signatures be enhanced to long-term signatures (CAdES and XAdES) as part of the verification process? | YES | Usually a limited ability to cover this |
| Can the solution keep old CRLs from each trusted CA so that these can be used to check the signature status in the past? | YES | Rarely seen |
| For long-term signatures can the solution automatically use the embedded CRL/OCSP information if valid? | YES | Often a limited capability |
| Does the solution have effective role based access security controls and maintain protected event and transaction logs? | YES | Check carefully this is rarely seen! |
| Can a high availability load-balancing configuration be immediately deployed? On platforms other than Windows? and supporting a range of HSMs? | YES
YES
YES | Most have issues being this flexible! |
| Can CRLs, OCSP, XKMS or even SCVP services be used to check the signer’s status? Can a sophisticated validation policy be configured to define the order in which these mechanisms are used, and how to locate and communicate with the back-end status providers? | YES
| CRL is common OCSP is rarer
Support for XKMS and SCVP is very unusual |
| Can optionally a copy of the original document be kept within the solution’s transaction logs as evidence? | YES | Usually a completely separate action |
| Can a notary archive action be associated with the verification action such that a long-life archive signature and timestamp are applied within an LTANS compliant archive? Is a TSA and LTANS service provided as part of same product. | YES
| Usually a completely separate project or product Support for LTANS very unusual |
| Verification / Validation Requirements | YES | Usually a completely separate project or product |
| Is there a solution option for extracting and sending only the signatures from documents to ensure privacy at the relying customer? I.e. is a gateway type product provided? | YES | Most have issues being this flexible |
| Is the solution designed to be used by both end-users, business relying parties and managed service providers? | YES | Often a limited capability |
| Does the solution provide detailed logging of each transaction, the evidential information & filtering/searching? | YES
| Often a limited capability |
| Does the solution provide an in-built capability for service reporting (detail and summary reports)? | YES | Often a limited capability |
| Can the calling client applications be authenticated using request signing and/or SSL client certificates? Can these clients be limited to only use specific signature verification profiles? | YES | Most have issues being this flexible |
| Can the solution provide a standard based approach to providing quality information on the signature algorithms, key lengths, hash algorithms and certificates associated with the signature and whether these meet the minimum local security policy requirements of the relying party? E.g. are the PEPPOL specifications supported? | YES
| Rarely seen |
| Does the solution provide a Client SDK for Java and .Net environments plus source code samples and example applications to make integration really simple? | YES | Worth checking |
| Can the solution be created on Windows, Solaris and Linux platforms with support for 32 and 64 bit processing? | YES | Worth checking |
| Are various FIPS 140-2 level 3 or CC EAL4 HSMs supported? | YES | Worth checking |
| Is an effective security management environment maintained that protects the authentication mechanisms, the verification policies, the validation policies, the keys, certificates, operator and system event logs and the transactional logs? Is it compliant with CWA 14167-1 Requirements for Trustworthy Systems? | YES | Worth checking |