Embed Size (px)
Citation preview
VDA Security ServicesFreeware Libraries Update
IETF S/MIME WG
29 March 2000
John Pawling
J.G. Van Dyke & Associates (VDA), Inc;
a Wang Government Services Company
Major Points of Briefing
• On 14 January 2000, the U.S. Department of Commerce published revisions to the Export Administration Regulations that changed the U.S. Government's encryption export policy. In accordance with these revised regulations, the S/MIME Freeware Library (SFL) source code files are now freely available to everyone at: http://www.armadillo.huntsville.al.us/software/smime.
• Unencumbered source code is freely available for all software discussed in this briefing. Organizations can use the software as part of their applications without paying any royalties or licensing fees. There is a public license associated with each library.
• S/MIME v3 interoperability testing.
VDA Security Services Freeware Libraries• Certificate Management Library (now available)
• Validates X.509 v3 certification paths and CRLs• Provides local cert/CRL storage functions• Provides remote directory retrieval via LDAP• http://www.armadillo.huntsville.al.us/software.
• S/MIME Freeware Library (now available)• Implements CMS/ESS security heading• Implements optional features such as: security label,
signed receipts, secure mail list support.
• Access Control Library (available later in 2000)• Will provide Rule Based Access Control using security
labels & authorizations conveyed in either X.509 Attribute or Public Key Certificates
• VDA-enhanced SNACC ASN.1 library provides DER.
VDA Security Services Modular Architecture
Cygnacom Certificate
Path Development
Library
S/MIME Freeware Library
Application(email, web browser/server, file
encrypter, etc)
Access Control Library (future)
SNACCASN.1 Library
Crypto Token
Interface Libraries
Certificate Managem
ent Library
S/MIME Freeware Library• SFL is a freeware implementation of IETF S/MIME v3 RFC
2630 CMS & RFC 2634 ESS.
• When used with Crypto++ library, SFL implements RFC 2631 D-H Key Agreement Method (E-S).
• SFL supports the use of RFC 2632 (Certificate Handling) and RFC 2633 (Message Specification).
• Goal: To provide reference implementation of RFCs 2630 & 2634 to encourage acceptance as Internet Standards.
• Protects any type of data (not just MIME).
• Designed to be crypto algorithm independent. SFL can be used with a variety of external crypto libraries that provide a variety of crypto algorithms.
SFL High Level Library
SNACCASN.1Library
Various PKCS #11 Libraries
CTIL for PKCS #11
Various Tokens
CTIL forCrypto++
Crypto++Library
CTIL forBSAFE
BSAFELibrary
CTIL: Crypto Token Interface Library
Note: Third parties are welcome to develop other CTILs.
SFL Architecture
Fortezza CI Library
CTIL for Fortezza
Fortezza Card/SWF
SPYRUS SPEX/ Library
CTIL for SPEX/
Various Tokens
SFL Interoperability Testing
• SFL S/MIME v2 interop testing: SFL used to exchange signedData and envelopedData messages with Microsoft Internet Explorer Outlook Express v4.01 and Netscape Communicator 4.X. SignedData messages also exchanged with RSA S/MAIL, WorldTalk, Entrust S/MIME v2 products.
• SFL S/MIME v3 interop testing (see later slides): Tested the majority of features in RFCs 2630 (CMS), 2631 (D-H) and 2634 (ESS) as well as some of the features in RFC 2632 (Cert) and 2633 (Msg). The SFL does not support every S/MIME v3 optional feature and does not build/process MIME headers.
• Limited S/MIME V3 CMS/ESS testing with Baltimore & Entrust has been performed. More interop testing with Entrust will occur under Bridge Certification Authority project.
SFL “Examples” Interop Testing
• Used SFL to successfully process and produce the majority of features documented in "Examples of S/MIME Messages".
• We had problems using some of the example key material, so alternate key material was used for some tests.
• We will send test results to “examples” mail list today.
• Complete test drivers and test data will be available in next SFL release or is available now separately upon request.
• In April 2000, we will provide specific recommendations for adding sample data such as signed receipts and countersignatures to the Examples document. Note: SFL can verify its own countersignatures, but no successful interop testing yet performed.
SFL-Microsoft Interop Testing
• S/MIME v3 interop testing between SFL & Microsoft successfully tested almost all signedData & envelopedData features using mandatory, RSA and Fortezza algorithm suites. For example, SFL (using Crypto++) exchanged E-S D-H-protected envelopedData.
• Almost all ESS features tested. Successful signed receipt interop testing. Triple-wrap testing not done, but SFL supports.
SFL “Matrix” Interop Testing• Microsoft created a matrix to be used to document S/MIME v3
interop testing. The matrix is more detailed than "Examples of S/MIME Messages" document. Test data that we will provide for inclusion in Examples document will exercise all matrix features.
• We verified that the SFL can produce and process the majority of the features documented in the matrix.
• We will send matrix to which we added the SFL test results to the “examples” mail list today. We also added correlations between “Examples” document and matrix rows.
• We developed sample objects that illustrate each feature in the
matrix that the SFL supports. Complete test drivers and test data will be available in next SFL release or is available now separately upon request.
SFL Test Driver Future Testing
• SFL interop testing is automated through use of test drivers and configuration files so it can be easily repeated and modified by VDA or independently by a third party.
• A third party could enhance the test drivers or incorporate them in an application such as an S/MIME interoperability testing auto-responder which organizations could use to test their S/MIME implementations.
IMC Mail Lists• The Internet Mail Consortium (IMC) has established separate
SFL and CML mail lists used to: – distribute information regarding releases; – discuss technical issues; and – provide a means for SFL users to provide feedback,
comments, bug reports, etc.
• Subscription information for the imc-sfl mailing list is at IMC SFL web page: http://www.imc.org/imc-sfl
• Subscription information for imc-cml mailing list is at IMC CML web page: http://www.imc.org/imc-cml
• PLEASE DO NOT SEND SFL OR CML RELATED MESSAGES TO IETF S/MIME OR PKIX WG MAIL LISTS.
