The Dartmouth site is related to a broader federal PKI Technical Working Group which is developing PKI standards and protocols. See:
http://csrc.nist.gov/pki/twg/welcome.html Below are two recent messages from the PKI-TWG mail list on some of the work being done. Subscribe to the PKI-TWG mail list: To: [EMAIL PROTECTED] Subject: Subscribe pki-twg Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <[EMAIL PROTECTED]> subscribe pki-twg [your name] ----- Date: Mon, 25 Mar 2002 13:25:46 -0500 (EST) Message-Id: <[EMAIL PROTECTED]> Errors-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Precedence: bulk From: "Pawling, John" <[EMAIL PROTECTED]> To: Multiple recipients of list <[EMAIL PROTECTED]> Subject: v1.3 R10 Enhanced SNACC Freeware Now Available X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas Content-Type: text/plain; charset="iso-8859-1" All, Getronics Government Solutions has delivered the v1.3 R10 Enhanced SNACC (eSNACC) Abstract Syntax Notation One (ASN.1) Compiler, C++ library and C library source code and binaries tested on the Linux, Sun Solaris 2.8 and Microsoft Windows NT/98/2000/XP operating systems. The eSNACC software is freely available to everyone from: <http://www.getronicsgov.com/hot/snacc_home.htm>. The v1.3 R10 eSNACC release fixes significant bugs present in the previous releases. The eSNACC ASN.1 software can be used to ASN.1 encode and decode objects. In past releases, Getronics improved the eSNACC C++ library to implement the Distinguished Encoding Rules (DER), support large ASN.1 INTEGERs, and improve memory usage. v1.3 R10 eSNACC enhancements (compared to v1.3 R8 and R9 releases): 1) We corrected the eSNACC ASN.1 C and C++ libraries to properly implement the sorting of SET OF components as specified in the 1997 X.690 DER requirements. The eSNACC ASN.1 C++ library was incorrectly ignoring the tag and length of each component when determining their order. The bug was present in the v1.3 R7, v1.3 R8, and v1.3 R9 releases of the eSNACC ASN.1 C++ library. This bug caused interoperability problems with correct DER implementations. For example, this bug caused the S/MIME Freeware Library (SFL) (that uses the eSNACC ASN.1 C++ library) to report signature verification problems when attempting to verify valid signed S/MIME messages. 2) We corrected several bugs in the eSNACC ASN.1 C++ and C libraries that we discovered when testing them using the Simple Network Management Protocol (SNMP) v1 test suite developed by the University of Oulu. The bugs were all error handling problems that occurred when each ASN.1 library attempted to decode invalidly encoded indefinite lengths on primitive types. These were all bugs in the original SNACC code. We used the v1.3 R10 eSNACC ASN.1 C++ and C libraries to successfully process all 18,000 test cases in the SNMPv1 Oulu test suite. 3) We fixed a bug in CSM_Buffer::Write(...) (sm_buffer.cpp file) that resulted in a significant decrease in the time required to ASN.1 decode objects greater than 1MB in size. We tested the v1.3 R10 eSNACC release with the v2.0.1 S/MIME Freeware Library (SFL) (with patch files applied) available from <http://www.getronicsgov.com/hot/sfl_home.htm> that uses the eSNACC ASN.1 software to encode and decode the IETF S/MIME v3 Cryptographic Message Syntax (RFC 2630) and Enhanced Security Services for S/MIME (RFC 2634) security protocol. We tested the v1.3 R10 eSNACC release with the freeware v2.0.1 Certificate Management Library (CML) (no patch files required) available from <http://www.getronicsgov.com/hot/cml_home.htm> that uses the eSNACC ASN.1 software to encode and decode X.509 certificates, attribute certificates and Certificate Revocation Lists as specified in the 2000 X.509 Recommendation. We tested the v1.3 R10 eSNACC release with the freeware v2.0.1 Access Control Library (ACL) (no patch files required to use v1.3 R10 eSNACC release) available from <http://www.getronicsgov.com/hot/acl_home.htm>. The ACL uses the eSNACC ASN.1 software to encode and decode security labels and other objects (such as Security Policy Information Files) required to provide rule based access control as specified in SDN.801. The eSNACC ASN.1 software implements the majority of the ASN.1 encoding/decoding rules as specified in the 1988 X.209 Recommendation. It implements the DER as specified in the 1997 X.690 Recommendation. It does not support all of the latest ASN.1 features, but there are strategies that allow it to be used to produce ASN.1 hex encodings that are identical to those produced by ASN.1 libraries that do support the latest ASN.1 features. Also note that many of the PKIX specs, such as RFC 2459 and RFC 2630, include 1988-compliant ASN.1 syntax modules which can be compiled using the eSNACC compiler. The eSNACC ASN.1 library is totally unencumbered as stated in the Enhanced SNACC Software Public License. All source code for the eSNACC software is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the eSNACC software without paying any royalties or licensing fees. The Internet Mail Consortium (IMC) has established an eSNACC web page <http://www.imc.org/imc-snacc/>. The IMC has established an eSNACC mail list which is used to: distribute information regarding eSNACC releases; discuss related issues; and provide a means for integrators to provide feedback, comments, bug reports, etc. Subscription information for the imc-snacc mail list is at the IMC web site listed above. We welcome all feedback regarding the eSNACC software. If bugs are reported, then we will investigate each reported bug and, if required, will produce a patch or an updated release of the software to repair the bug. This release announcement was sent to several mail lists, but please send all messages regarding the eSNACC software to the imc-snacc mail list ONLY. Please do not send messages regarding the eSNACC software to any of the IETF mail lists. We will respond to all messages sent to the imc-snacc mail list. =========================================== John Pawling, [EMAIL PROTECTED] Getronics Government Solutions, LLC =========================================== ---------- Date: Mon, 25 Mar 2002 14:24:04 -0500 (EST) Message-Id: <[EMAIL PROTECTED]> Errors-To: [EMAIL PROTECTED] Originator: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Precedence: bulk From: "Pawling, John" <[EMAIL PROTECTED]> To: Multiple recipients of list <[EMAIL PROTECTED]> Subject: Patch Files to v2.0.1 S/MIME Freeware Library Now Available X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas Content-Type: text/plain; charset="iso-8859-1" All, Getronics Government Solutions has delivered a set of patch files (Patch A) that fix bugs (see below) in the v2.0.1 S/MIME Freeware Library (SFL) source code. The SFL source code files are freely available at <http://www.getronicsgov.com/hot/sfl_home.htm>. The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications. It also implements portions of the RFC 2633 Message Specification and RFC 2632 Certificate Handling document. When used in conjunction with the Crypto++ freeware library, the SFL implements the RFC 2631 Diffie-Hellman (D-H) Key Agreement Method specification. It has been successfully tested using the Microsoft (MS) Windows NT/98/2000/XP, Linux and Sun Solaris 2.8 operating systems. Further enhancements, ports and testing of the SFL are still in process. Further releases of the SFL will be provided as significant capabilities are added. The SFL has been successfully used to sign, verify, encrypt and decrypt CMS/ESS objects using: DSA, E-S D-H, 3DES algorithms provided by the Crypto++ library; RSA suite of algorithms provided by the RSA BSAFE 6.0 Crypto-C and Crypto++ libraries; and Fortezza suite of algorithms provided by the Fortezza Crypto Card. The v2.0.1 (Patch A) SFL uses the v1.3 R10 Enhanced SNACC (eSNACC) ASN.1 C++ Library to encode/decode objects. The v2.0.1 SFL release includes: SFL High-level library; Free (a.k.a. Crypto++) Crypto Token Interface Library (CTIL); BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL; Microsoft CAPI v2.0 CTIL; test utilities; test drivers; and test data. All CTILs were tested as Dynamically Linked Libraries (DLL) using MS Windows. The Fortezza, BSAFE and Crypto++ CTILs were tested with the respective security libraries as shared objects using Linux and Solaris 2.8. The SFL has been successfully used to exchange signedData and envelopedData messages with the MS Internet Explorer Outlook Express v4.01, Netscape Communicator 4.X, Entrust and Baltimore S/MIME products. Signed messages have been exchanged with the RSA S/MAIL and WorldTalk S/MIME v2 products. The SFL has also been used to perform S/MIME v3 interoperability testing with Microsoft that exercised the majority of the features specified by RFCs 2630, 2631 and 2634. This testing included the RSA, DSA, E-S D-H, 3DES, SHA and Fortezza algorithms. We used the SFL to successfully process the SFL-supported sample data included in the S/MIME WG "Examples of S/MIME Messages" document. We also used the SFL to generate S/MIME v3 sample messages that were included in the "Examples" document. The use of the v2.0.1 SFL is described in the v2.0 SFL Application Programming Interface (API) and v2.0 SDD documents. The v2.0 SMP Components Setup Manual that describes the component installation procedures for the v2.0.1 SFL, v2.0.1 Certificate Management Library (CML), and v1.3 R10 eSNACC libraries. The use of the v2.0.1 CTIL API is described in the v2.0 CTIL API document. Patch A includes the following enhancements (compared to v2.0.1 SFL and CTIL releases): 1) v2.0.1 (Patch A) SFL was tested using v1.3 R10 eSNACC ASN.1 C++ library that fixed a bug in the code that implements the SET OF sorting as part of the Distinguished Encoding Rules (DER). The eSNACC DER bug was causing the SFL to report signature verification problems when attempting to verify valid signed S/MIME messages. 2) v2.0.1 (Patch A) SFL was tested using v1.3 R10 eSNACC ASN.1 C++ library that also includes a bug fix that resulted in a significant decrease in the time required to decode objects greater than 1MB in size. For example, this eSNACC bug fix resulted in a 300-fold improvement in the SFL decryption of objects that are greater than 1MB in size. 3) Fixed bugs in Microsoft CAPI CTIL code that handles the use of two RSA certificates (and corresponding private keys) that include the same subject name, but are distinguished by the keyUsage extension (one for signature, one for encryption). 4) The SFL timing routine was updated in the sm_EDTImingTest.cpp test utility to time variable loop counter of messages of variable content size. This test now handles ASN.1 Encode, Decode, Encrypt and Decrypt tests (./SMIME/testsrc/util/sm_EDTImingTest.cpp). 5) SFL and Microsoft CAPI CTIL were updated to fix minor memory leaks and other minor bugs. 6) Corrected bug in CertNameToStr (sm_capi.cpp) to process names longer than 100 characters. 7) Improved CertificateBuilder by adding a separate certificatePolicies extension creation menu item. 8) The demonstration program in ./SMIME/testutil/testTripleWrap has been updated to demonstrate multiple certificate loads into RecipientInfos for encryption. This program also demonstrates the Microsoft CAPI CTIL initialization and usage. We are still in the process of enhancing and testing the SFL. Future releases may include: additional PKCS #11 CTIL testing; finish CertificateBuilder command line utility; enhancing CertificateBuilder to support creation of Attribute Certificates; add "Certificate Management Messages over CMS" ASN.1 encode/decode functions; add enhanced test routines; bug fixes; support for other crypto APIs; and support for other operating systems. The SFL is developed to maximize portability to 32-bit operating systems. In addition to testing on MS Windows, Linux and Solaris 2.8, we may port the SFL to other operating systems. The following SFL files are available from <http://www.getronicsgov.com/hot/sfl_lib.htm>: 1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL API, Software Test Description, Implementers Guide, Overview Briefing and Public License. 2) smimeR2.0.1.tar.gz: Source code, MS Windows project files and Unix makefiles for SFL Hi-Level library. 3) snacc13r10rn.tar.gz (source code and binaries available from Getronics eSNACC web page: <http://www.getronicsgov.com/hot/snacc_home.htm>): Source code, MS Windows project files and Unix makefiles for v1.3 R10 eSNACC ASN.1 Compiler and Library that has been enhanced by Getronics to implement the Distinguished Encoding Rules. Source code is compilable for Linux, Solaris 2.8 and MS Windows NT/98/2000/XP. This file includes a sample test project demonstrating the use of the eSNACC classes. 4) smCTIR2.0.1.tar.gz: Source code, MS Windows project files and Unix makefiles for the following CTILs: Test (no crypto), Crypto++, BSAFE, Fortezza, SPEX/, PKCS #11 and MS CAPI v2.0. The CTIL source code includes PKCS #12 software developed by the OpenSSL Project for use in the OpenSSL Toolkit <http://www.openssl.org/> 5) sm_CTIL_MGR_R2.0.1.tar.gz: Source code, MS Windows project files and Unix makefiles for the CTILManager library that provides CTIL-related processing services used by the SFL, ACL and CML. 6) smTest2.0.1.tar.gz: Source code, MS Windows project files and Unix makefiles for test drivers used to test the SFL. This file includes sample CMS/ESS test data and test X.509 Certificates. It also includes the CertificateBuilder utility that can be used to create X.509 Certificates. 7) sfl_v2.0.1_Patch_A.zip: Contains patch files that include aforementioned enhancements to v2.0.1 SFL, Microsoft CAPI CTIL, CertificateBuilder. All source code for the SFL is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the SFL without paying any royalties or licensing fees. Getronics is developing the SFL under contract to the U.S. Government. The U.S. Government is furnishing the SFL source code at no cost to the vendor subject to the conditions of the "SFL Public License". On 14 January 2000, the U.S. Department of Commerce, Bureau of Export Administration published a new regulation implementing an update to the U.S. Government's encryption export policy <http://www.bxa.doc.gov/Encryption/Default.htm>. In accordance with the revisions to the Export Administration Regulations (EAR) of 14 Jan 2000, the downloading of the SFL source code is not password controlled. The SFL is composed of a high-level library that performs generic CMS and ESS processing independent of the crypto algorithms used to protect a specific object. The SFL high-level library makes calls to an algorithm-independent CTIL API. The underlying, external crypto token libraries are not distributed as part of the SFL source code. The application developer must independently obtain these libraries and then link them with the SFL. The SFL uses the CML and eSNACC ASN.1 Library to encode/decode certificates, ACs, CRLs and components thereof. The CML is freely available at: <http://www.getronicsgov.com/hot/cml_home.htm>. The SFL has been successfully tested in conjunction with the Access Control Library (ACL) that is freely available to everyone from: <http://www.getronicsgov.com/hot/acl_home.htm>. The National Institute of Standards and Technology (NIST) is providing test S/MIME messages (created by Getronics) at <http://csrc.nist.gov/pki/testing/x509paths.html>. Getronics used the SFL to successfully process the NIST test data. NIST is using the SFL and CML as part of the NIST S/MIME Test Facility (NSMTF) that they are planning to host (see <http://csrc.ncsl.nist.gov/pki/smime/>). Vendors will be able to use the NSMTF to help determine if their products comply with the IETF S/MIME v3 specifications and the Federal S/MIME v3 Client Profile. The SFL has been integrated into many applications to provide CMS/ESS security services. For example, the SFL was integrated into a security plug-in for a commercial e-mail application that enabled the application to meet the Bridge Certification Authority Demonstration Phase II requirements including implementing ESS features such as security labels. The Internet Mail Consortium (IMC) has established an SFL web page <http://www.imc.org/imc-sfl>. The IMC has also established an SFL mail list which is used to: distribute information regarding SFL releases; discuss SFL-related issues; and provide a means for SFL users to provide feedback, comments, bug reports, etc. Subscription information for the imc-sfl mailing list is at the IMC web site listed above. All comments regarding the SFL source code and documents are welcome. This SFL release announcement was sent to several mail lists, but please send all messages regarding the SFL to the imc-sfl mail list ONLY. Please do not send messages regarding the SFL to any of the IETF mail lists. We will respond to all messages sent to the imc-sfl mail list. ============================================ John Pawling, [EMAIL PROTECTED] Getronics Government Solutions, LLC ============================================