You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(2) |
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
2003 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
2004 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2007 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Announcements a. p. n. <ope...@li...> - 2011-02-11 16:43:14
|
Dear OpenCA Community, The OpenCA Labs and the LibPKI Team announce the availability of the new version of the LibPKI package (Viper/v0.6.3). Project Overview: ================= The LibPKI Project is aimed to provide an easy-to-use PKI library for PKI enabled application development. The library provides the developer with functionalities to manage Public Key Certificates, from generation to validation. The LibPKI Project enables developers with the possibility to implement complex cryptographic operations with a few simple library calls by implementing an high-level cryptographic API. The library constitutes the core of many other projects at OpenCA Labs (e.g., PRQP Server, OCSP Responder, and OpenCA-NG). We provide it as a separate package to enable application developers to easily integrate X509 digital certificates in their own applications. Currently we support for OpenSSL libraries as low-level crypto provider. Project Status: =============== o [10 Feb 2011] v0.6.3/Viper release is available for download o [17 Nov 2010] v0.6.1/Turkey release is available for download o [02 Sep 2010] v0.5.1/zoiberg release is available for download o [27 Aug 2010] v0.5.0/lulu release is available for download o [24 Mar 2010] v0.4.1/tiger2 release available for download o [19 Apr 2009] v0.3.0/tiger release available for download o [16 Jan 2009] v0.2.0/shark release available for download o [20 Mar 2008] Third release available for download (libpki v0.1.9) o [25 Oct 2007] Second release available for download (libpki v0.1.8) o [23 Mar 2007] First initial code available for download (libpki v0.1.1) Major Changes and Fixes: ======================== o Added pki-cert tool to view/manipulate certificates o Added PKI_ALGORITHM data structures for initializing X509 algorithm identifiers o Fixed name comparison for certificate profile loading o Fixed URL input management for stdin, stdout, stderr file stream o Fixed rpath config on Solaris/OpenSolaris o Added PKI_KEYPARAMS structure to pass key generation parameters to HSMs o Added compressed/uncompressed encoding options for EC keys o Fixed default validity in pki-tool o Added profile/keyParams section parsing in profiles configuration files (PKI_TOKEN) o Updated default key min/suggested sizes o Improved pki-tool command line tool (added params for EC key generation, better -batch handling) o Extended no-case keyUsage and extendedKeyUsage extension parsing in profiles o Fixed return code in PKI_NET_Listen(). Now it returns PKI_ERR in case of errors or the socket number (e.g., int > 2 ). o Fix in PKI_X509_OCSP_RESP_STATUS definition o Fix in token.c (load config) o Extended ECDSA support (configuration option) and fixed ECDSA get Algorithm by Name (now working with ECDSA-SHA1, ECDSA-SHA256,...) o New library versioning Current Project developers' Tasks: ================================== Massimiliano Pala is currently working on: - Enhancing support for ECDSA; - Enhancing support for PKCS#11 devices (DSA and ECDSA); - Extending the Log subsystem to provide signed and verifiable logs; - Enhancing the PKI_MSG interface Open Issues: ============ o Extensions management is still not stable for complex exts, the code needs to be checked and extended o Support for NSS crypto layer still pending o Porting to Win32 (provide support for Microsoft Crypto API) Wishes: ======= o Let us know (!) References: =========== The OpenCA Project main website can be found at http://www.openca.org/ You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: http://www.openca.org/projects/libpki http://ftp.openca.org/libpki or from one of the official mirrors: http://www.openca.org/mirrors.shtml Thanks ====== Thank you for supporting the Open Source community by using/contributing to/ reporting bugs/cheering this project! Now go ahead and actively contribute to make the world a better place! OpenCA Labs Director, Massimiliano Pala, Ph.D |
From: Announcements a. p. n. <ope...@li...> - 2010-04-05 19:18:15
|
Dear OpenCA Community, We are experiencing a major web/ftp server failure. Although we have been able to mirror the server in few minutes, some disruptions may occur till we will be able to setup the principal servers again. Due to DNS propagation the usual http://www.openca.org/ could take a few hours to be accessible again. If you are experiencing difficulties in reaching the servers, use one of the following: http://www2.openca.org http://ftp2.openca.org Please report any major inconvenience you might experience. -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] op...@ac... pro...@op... Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov |
From: Announcements a. p. n. <ope...@li...> - 2010-03-09 15:46:55
|
Hi OpenCA-ers, the last OpenCA version (v1.1.0) suffered from several bugs and the binary packages were missing some required files. We have fixed the distribution and we encourage you to download it and install it again: http://www.openca.org/projects/openca/ The current version has been patched with the latest bug fixes. If you still have problems with your installation, we suggest you check the OpenCA's WiKi pages at: http://wiki.openca.org/wiki/ to find the latest info about the OpenCA's projects. As always, we thank all the people who provided feedback and helped us to release a new and improved OpenCA PKI software! Thank you all! Dr. Massimiliano Pala - OpenCA Research Labs Director - |
From: Announcements a. p. n. <ope...@li...> - 2010-02-25 06:53:50
|
OpenCA PKI v1.1.0 (samba) Release-Announcement ========================================== OpenCA PKI v1.1.0 (samba) is released on Feb 24th, 2010. This version improves the older 1.0.2 version by providing fixes for the known bugs, improving the User Interface, updating the database structure for future user-management and community-building. Because of the many changes in the core parts of the project, we suggest to test the new system before using it in production environments. We worked hard to release this new version of OpenCA. We hope you will enjoy our software and find inspiration to collaborate with us and all the other users to improve OpenCA even more! OpenCA Project Overview: ======================== The OpenCA Project is a collaborative effort to develop a robust, full featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project, mod_ssl. The project development is divided in two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority. Project Status: =============== OpenCA version 1.1.0 Status: Released 24 Feb 2010 (samba) OpenCA version 1.0.2 Status: Released 14 Oct 2008 (ten-ten^2) OpenCA version 1.0.1 Status: Released 10 Oct 2008 (ten-ten) OpenCA version 0.9.3 Status: Release Candidate 2 (rc2) OpenCA version 0.9.3 Status: Release Candidate 1 (rc1) OpenCA version 0.9.2 Status: Released 11 Oct 2004 OpenCA version 0.9.1 Status: Released 03 Jan 2003 OpenCA version 0.9.0 Status: Released 12 Aug 2002 OpenCA version 0.8.6 Status: Released 17 Jul 2002 OpenCA version 0.8.1 Status: Released 08 Nov 2001 OpenCA version 0.8.0 Status: Bug Fixing OpenCA version 0.6.0 Status: Never Released OpenCA version 0.2.0 Status: Released Core developers Tasks: ======================= Massimiliano Pala is currently working on: o Integration with OCSP and PRQP servers o Web-based configuration o Binary Packages Open Issues: ============ o Attributes Certificates Support o Wishes: ======= o References: =========== The OpenCA Project main website can be found at http://www.openca.org. You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: http://ftp.openca.org or from one of the official mirrors: http://www.openca.org/mirrors.shtml Massimiliano Pala - OpenCA Labs Director - |
From: Announcements a. p. n. <ope...@li...> - 2009-05-07 00:39:05
|
Dear OpenCA community, we are trying to understand how to improve the current way that browsers User Interface interact with the users when it comes to PKIs. In particular we are interested in: How to improve the browsers user interface to do so, we need to understand what the users (YOU) think about the current user interfaces. We prepared a very simple survey to unveil the mystery behind what you think! If you would like to help us, and have 5 minutes to spare, please go to our main website and click on the Survey link: http://www.openca.org/ Thank you for your attention, we really hope that you will join our effort in making the PKI world a bit more USABLE each day! Sincerely, Massimiliano Pala OpenCA Labs Director |
From: Announcements a. p. n. <ope...@li...> - 2008-10-15 02:28:42
|
OpenCA v1.0.2 (ten-ten^2) Release-Announcement ============================================== OpenCA v1.0.1 (ten-ten^2) is released on Oct 14th, 2008. This version fixes a couple of minor bugs in the ten-ten release. Here we list some of the changes over version 1.0.1: * Fixed an #include error in OpenCA.xs that prevented ECDSA to be correctly enabled * Added a missing keyword in the ca.conf.template configuration file * Fixed wrong permissions in binary distributions that prevented the correct import of data among different PKI components (eg., from the CA to the RA) OpenCA Project Overview: ======================== The OpenCA Project is a collaborative effort to develop a robust, full featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project, mod_ssl. The project development is divided in two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority. Project Status: =============== OpenCA version 1.0.2 Status: Released 14 Oct 2008 OpenCA version 1.0.1 Status: Released 10 Oct 2008 OpenCA version 0.9.3 Status: Release Candidate 2 (rc2) OpenCA version 0.9.3 Status: Release Candidate 1 (rc1) OpenCA version 0.9.2 Status: Released 11 Oct 2004 OpenCA version 0.9.1 Status: Released 03 Jan 2003 OpenCA version 0.9.0 Status: Released 12 Aug 2002 OpenCA version 0.8.6 Status: Released 17 Jul 2002 OpenCA version 0.8.1 Status: Released 08 Nov 2001 OpenCA version 0.8.0 Status: Bug Fixing OpenCA version 0.6.0 Status: Never Released OpenCA version 0.2.0 Status: Released Core developers Tasks: ======================= Massimiliano Pala is currently working on: o Ease of installation and Interface Usability of OpenCA o Better support for new browsers and Operating Systems o Automatic Operation Enhancement o Web-based configuration o Binary Packages Open Issues: ============ o Attributes Certificates Support o Wishes: ======= o References: =========== The OpenCA Project main website can be found at http://www.openca.org. You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: http://ftp.openca.org or from one of the official mirrors: http://www.openca.org/mirrors.shtml Massimiliano Pala - OpenCA Core Development Team - -- People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov |
From: Announcements a. p. n. <ope...@li...> - 2008-10-12 16:43:50
|
Release-Announcement ==================== OpenCA 1.0.1 (ten-ten) is released on Oct 10th, 2008. We added a lot of new features and we hope the new version will meet many of the requirements for your CAs. Here we list some of the major changes over version 0.9.3: * Added Minimum Certificate Validity Period for Expiring email sending (automatically) * Added extensive information in the Auto(*) daemon activation pages - to explain the available configuration options. * Finished AutoEmail daemon for automatic E-Mail sending (both for newly issued certificates and for expiring certificate warnings) * Added the possibility for searching for attributes with multiple values (eg., multiple roles or LOA for certs) * Finished AutoCRL daemon for issuing CRL automatically * Added autoEmail daemon (automatic E-Mail sending) * Fixed loading/saving of parameters for Auto(*) daemons * Extended report on the status for Auto(*) daemons * Fixed CRL and Certificates auto status update (valid/expired) * Added AutoCRL daemon (needs additional work) * Added new functions to misc-utils.lib for managing process status verification and parameter configuration save/restore. * Fixed search of objects and extra-refs for lists * Fixed DSA and ECDSA e-mail problems (no encryption is supported) * Fixed retrieval of requested certificates when the key is generated on the server (eg., a .p12 is returned now) * Fixed lists (REQ, CERTS, etc... ) display (more readable) * Added Level of Assurance Checking (Key Algorithm, Key Generation Mode and Key Size) * Added support for requestStatus to request configuration for automatically approved requests (values can be one of NEW, PENDING, or APPROVED) * Added support for ldaps and starttls for ldap authenticated browser requests (etc/datasources.xml) * Added authenticated (via ldap) browser request form (etc/auth_browser_req.xml) * Added a defaul logo page (instead of software version one) * Added support for the new certificate request form for CA initialization * Fixed a space-tolerance in RDNs * Simplified the Certificate Request Page * Added more configurable and simplified certificate request form (etc/browser_req.xml) * Updated script code (no more VB - only javascript) * Added Vista Support (IE7) for certificate request * Added DC fields in CA Certificate Request * Added possibility to specify the subjectAltName via the CA interface when self-signing the CA certificate * Fixed Browser and OS recognition in initCGI * Fixed DN parsing in OpenSSL.pm and REQ.pm to allow bogus DNs from Windows 2003 server (problem reported by Dmitrij Mironov) * Added LDAP protocol version selection in config.xml (default 3) * Added possibility to generate DSA keys, reqs, and certs via the web interface (eg., for RA/CA operators) * Added CRL Revocation Code in CRRs * Fixed several errors in the default RBAC definitions (ACL) * Fixed name extension when sending .p12 files to the user * Applied patch from Alexander Klink (cross-site scripting security fix) * Fixed generation of index.txt file (thanks to Diego de Felice) * Fixed --with-service-email-account (thanks to Robert Nelson) * Eliminated debugging info when web-signing (thx to Robert Nelson) * Added ca_organization, ca_locality, ca_state and ca_country in etc/config.xml using configure * Fixed cleanup of directories and ext-modules dependecies * Fixed menu generation issue that would prevent Safari from correctly navigating the menu OpenCA Project Overview: ======================== The OpenCA Project is a collaborative effort to develop a robust, full featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project, mod_ssl. The project development is divided in two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority. Project Status: =============== OpenCA version 1.0.1 Status: Released 10 Oct 2008 OpenCA version 0.9.3 Status: Release Candidate 2 (rc2) OpenCA version 0.9.3 Status: Release Candidate 1 (rc1) OpenCA version 0.9.2 Status: Released 11 Oct 2004 OpenCA version 0.9.1 Status: Released 03 Jan 2003 OpenCA version 0.9.0 Status: Released 12 Aug 2002 OpenCA version 0.8.6 Status: Released 17 Jul 2002 OpenCA version 0.8.1 Status: Released 08 Nov 2001 OpenCA version 0.8.0 Status: Bug Fixing OpenCA version 0.6.0 Status: Never Released OpenCA version 0.2.0 Status: Released Core developers Tasks: ======================= Massimiliano Pala is currently working on: o Ease of installation and Interface Usability of OpenCA o Better support for new browsers and Operating Systems o Automatic Operation Enhancement o Web-based configuration o Binary Packages Open Issues: ============ o Attributes Certificates Support o Wishes: ======= o References: =========== The OpenCA Project main website can be found at http://www.openca.org. You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: http://ftp.openca.org or from one of the official mirrors: http://www.openca.org/mirrors.shtml Massimiliano Pala - OpenCA Core Development Team - -- People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov |
From: Announcements a. p. n. <ope...@li...> - 2007-04-03 22:48:30
|
Announcement: ============= The OpenCA Team announce the availability of the new project LibPRQP and initial source code: Current Version: v0.0.1 (Initial Source Code) Project Overview: ================= The LibPRQP package is aimed to provide a PRQP enabling library which can be used by applications in order to discover PKI services and repositories. With the deployment of new applications and services, the need to access PKI resources provided by different organizations is critical. Regrettably, still today each application needs to be told about how to find these services for each new certificate it encounters. The basic concept of the protocol is to provide a method to answer to the question "where is resource X URL from this CA ?". The resources might be items that are (occasionally) embedded in certificates today-such as URLs for CRLs or OCSP or SCVP-as well as items such as addresses of the CA homepage address, the subscription service, or the revocation request. Project Status: =============== o [03 Apr 2007] First initial code available for download (libprqp v0.0.1) Current Project developers' Tasks: ================================== Massimiliano Pala is currently working on: - Cleaning up code; - Adding easy-to-use PRQP calls; - Editing the documentation; - Working at an Internet draft to submit to IETF; Open Issues: ============ o Many, the code is stable but needs extension Wishes: ======= o Let us know (!) References: =========== The OpenCA Project main website can be found at http://www.openca.org/ You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: http://www.openca.org/projects/libprqp http://ftp.openca.org/libprqp or from one of the official mirrors: http://www.openca.org/mirrors.shtml Thanks ====== Thank you for supporting the Open Source community by using/contributing to/ reporting bugs/cheering this project! Now go ahead and actively contribute to make the world a better place! - The OpenCA Team - |
From: Announcements a. p. n. <ope...@li...> - 2007-03-26 02:00:01
|
Announcement: ============= The OpenCA Team announce the availability of the first version of the LibPKI library: Current Version: v0.1.1 (Initial Code) Project Overview: ================= The LibPKI Project is aimed to provide an easy-to-use PKI library for PKI enabled application development. The library provides the developer with all the needed functionality to manage Public Key Certificates, from generation to validation. The LibPKI Project enables developers with the possibility to implement complex cryptographic operations with a few simple function calls by implementing an high-level cryptographic API. The library constitutes the core of the OpenCA-NG Project, anyway we provide it as a separate package in order to encourage applications developers to use it in their packages. Currently support for OpenSSL and KMF libraries is provided as low-level crypto provider. Project Status: =============== o [23 Mar 2007] First initial code available for download (libpki v0.1.1) Current Project developers' Tasks: ================================== Massimiliano Pala is currently working on: - Adding support for PKI_TOKEN interface; - Adding XML support for certificate/request profiles; - Adding support for XML configuration support; Open Issues: ============ o Many, the code is stable but needs extensio Wishes: ======= o Let us know (!) References: =========== The OpenCA Project main website can be found at http://www.openca.org/ You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: http://www.openca.org/projects/libpki http://ftp.openca.org/libpki or from one of the official mirrors: http://www.openca.org/mirrors.shtml Thanks ====== Thank you for supporting the Open Source community by using/contributing to/ reporting bugs/cheering this project! Now go ahead and actively contribute to make the world a better place! - The OpenCA Team - |
From: Announcements a. p. n. <ope...@li...> - 2006-10-21 20:08:09
|
Announcement: ============= The OpenCA OCSPD Team announce the availability of the last version of the OCSP responder: Current Version: 1.5.1-rc1 (Release Candidate 1) Project Overview: ================= The OpenCA OCSPD project is aimed to develop a robust and easy-to-install OCSP daemon. The server is developed as a stand-alone application and can be integrated into many different PKI solutions as it does not depend on specific database scheme. Furthermore it can be used as a responder for multiple CAs. The OCSP Responder is an rfc2560 compliant OCSPD responder. The purpose of such a server is to provide an on-line tool to verify the status of a certificate (such as Mozilla/Firefox/Netscape7). The Responder was included into the main OpenCA distribution package. It is also possible to install the daemon as a stand-alone application, all you will need is a CRL (or access to an LDAP server where to get the CRL from). Project Status: =============== OpenCA OCSPD version 1.5.1 Status: rc1 available [21 Oct 2006] OpenCA OCSPD version 1.1.1 Status: Released [19 Jul 2006] OpenCA OCSPD version 1.1.0 Status: rc1 available [05 Nov 2005] OpenCA OCSPD version 1.0.5 Status: Released [29 Aug 2005] OpenCA OCSPD version 1.0.3 Status: Released [28 Apr 2005] OpenCA OCSPD version 1.0.2 Status: Released [19 Apr 2005] OpenCA OCSPD version 0.6.5 Status: Released [28 Jan 2005] OpenCA OCSPD version 0.6.4 Status: Released [18 Jan 2005] OpenCA OCSPD version 0.6.2 Status: Released [04 Jan 2005] OpenCA OCSPD version 0.6.1 Status: Released [28 Oct 2004] OpenCA OCSPD version 0.5.0 Status: Released [14 May 2004] OpenCA OCSPD version 0.4.0 Status: Released [21 Feb 2003] OpenCA OCSPD version 0.3.0 Status: Released [18 Feb 2003] Current Project developers' Tasks: ================================== Massimiliano Pala is currently working on: o Multiple certificate/keys usage for different CA; o pthread() support; o Debugging; Open Issues: ============ o Compliance to RFC-2560 when multiple CAs are configured Wishes: ======= o References: =========== The OpenCA Project main website can be found at http://www.openca.org/projects/ocspd You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: ftp://ftp.openca.org/pub/ocspd/current/ or from one of the official mirrors: http://www.openca.org/mirrors.shtml Thanks ====== Thank you for supporting the Open Source community by using/contributing to/ reporting bugs/cheering this project! Now go ahead and actively contribute to make the world a better place! - The OpenCA OCSPD Team - |
From: <ope...@li...> - 2004-05-03 07:16:02
|
Dear Open Source developer I am doing a research project on "Fun and Software Development" in which I kindly invite you to participate. You will find the online survey under http://fasd.ethz.ch/qsf/. The questionnaire consists of 53 questions and you will need about 15 minutes to complete it. With the FASD project (Fun and Software Development) we want to define the motivational significance of fun when software developers decide to engage in Open Source projects. What is special about our research project is that a similar survey is planned with software developers in commercial firms. This procedure allows the immediate comparison between the involved individuals and the conditions of production of these two development models. Thus we hope to obtain substantial new insights to the phenomenon of Open Source Development. With many thanks for your participation, Benno Luthiger PS: The results of the survey will be published under http://www.isu.unizh.ch/fuehrung/blprojects/FASD/. We have set up the mailing list fa...@we... for this study. Please see http://fasd.ethz.ch/qsf/mailinglist_de.html for registration to this mailing list. _______________________________________________________________________ Benno Luthiger Swiss Federal Institute of Technology Zurich 8092 Zurich Mail: benno.luthiger(at)id.ethz.ch _______________________________________________________________________ |
From: <ope...@li...> - 2004-01-16 17:36:04
|
OpenCA Security Advisory [16 January 2004] Vulnerability in signature validation ===================================== A flaw in OpenCA before version 0.9.1.7 could cause OpenCA to accept a signature from a certificate if the certificate's chain is trusted by the chain directory of OpenCA. This means that a certificate from another PKI can authorize operations on the used PKI if the chain of the used signature certifcate can establish a trust relationship to the actually used PKI. Alexandru Matei found the bug during a source code verification. Alexandru Matei and Michael Bell of the OpenCA core team fixed the problem for OpenCA 0.9.1 and the CVS HEAD. Vulnerability ----------------- OpenCA has a library for common crypto operations - crypto-utils.lib. This library includes a function to check a signature (libCheckSignature). The function load the used signature certificate from OpenCA's database and finally ensures that the used signature certificate is identical with the certificate in the database. The comparison of the certificate in the database and the certificate of the signer was only performed on base of the serial of the certificate. The design of the function can cause the acceptance of a signature if the chain of the signature can create a trustrelationship to the chain directory of OpenCA and a certificate with a matching serial exists in the used PKI. Who is affected? ------------------ All version of OpenCA including 0.9.1.6. A security risk is present for people who are using digital signatures to secure approved requests or role based access control (RBAC). Recommendations ----------------- Upgrade to 0.9.1.7 and use newer snapshots than openca-SNAP-20040114.tar.gz. You can fix the problem by yourself too with the included patch. The original file which we used to create the diff is from OpenCA 0.9.1.6. -----BEGIN PATCH----- --- src/common/lib/functions/crypto-utils.lib 2004-01-15 12:10:45.000000000 +0100 +++ src/common/lib/functions/crypto-utils.lib.new 2004-01-15 12:10:06.000000000 +0100 @@ -201,7 +201,7 @@ "__ERRVAL__", $OpenCA::X509::errval); return undef; } - last if ( $tmpCert->getSerial() eq $sigCert->getSerial() ); + last if ( $tmpCert->getPEM() eq $sigCert->getPEM() ); $sigCert = undef; } -----END PATCH----- References ------------ The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0004 to this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0004 URL for this Security Advisory: http://www.openca.org/news/CAN-2004-0004.txt |
From: <ope...@li...> - 2003-11-28 12:03:40
|
OpenCA Security Advisory [28 November 2003] Vulnerabilities in signature validation ======================================= Multiple flaws in OpenCA before version 0.9.1.4 could cause OpenCA to use an incorrect certificate in the chain to determine the serial being checked which could lead to certificates that are revoked or expired being incorrectly accepted. Chris Covell and Gottfried Scheckenbach performed tests with OpenCA and CA hierarchies. They had problems to verify signatures with some functions in OpenCA which test the signer's certificate. Michael Bell of the OpenCA core team identified and fixed the problems for OpenCA 0.9.1 and the CVS HEAD. Vulnerabilities ----------------- 1. OpenCA has a library for common crypto operations - crypto-utils.lib. This library includes a function to determine the serial of the certificate which somebody used to create a PKCS#7 signature. The function uses this serial to load and return the certificate. The function used the interface of OpenCA::PKCS7 (the OpenCA PKCS#7 module) in a wrong way. 2. The crypto library crypto-utils.lib uses all certificates which were included into the signature to create the X.509 object of the signer's certificate. The result is a object which was created from one of the certificates of the certificate chain. This means that the result is haphazard. 3. OpenCA::PKCS7 includes a wrong regular expression to detect lines which have nothing to do with the parsing of the certificate chain. 4. The serial in the certificate chain were parsed with a wrong regular expression in OpenCA::PKCS7. Big letters like A, C, B, D, E and F were ignored. Who is affected? ------------------ All version of OpenCA including 0.9.1.3. A security risk is present for people who are using digital signatures to secure approved requests or role based access control (RBAC). Recommendations ----------------- Upgrade to 0.9.1.4 and use newer snapshots than openca-0.9-SNAP-20031125.tar.gz. You can fix the problem by yourself too with the included patches. The original files which we used to create the diffs are from OpenCA 0.9.1.3. -----BEGIN PATCH----- --- openca-0.9.1.3/src/modules/openca-pkcs7/PKCS7.pm 2002-09-10 16:42:02.000000000 +0200 +++ openca-0.9.1.4/src/modules/openca-pkcs7/PKCS7.pm 2003-11-26 15:54:08.000000000 +0100 @@ -69,7 +69,7 @@ our ($errno, $errval); -($OpenCA::PKCS7::VERSION = '$Revision: 1.12 $' )=~ s/(?:^.*: (\d+))|(?:\s+\$$)/defined $1?"0\.9":""/eg; +($OpenCA::PKCS7::VERSION = '$Revision: 1.12.2.1 $' )=~ s/(?:^.*: (\d+))|(?:\s+\$$)/defined $1?"0\.9":""/eg; my %params = ( inFile => undef, @@ -167,6 +167,8 @@ my ( $ret, $tmp ); + return $self->{parsed} if ($self->{parsed}); + $tmp = $self->{backend}->verify( SIGNATURE=>$self->{signature}, DATA_FILE=>$self->{dataFile}, CA_CERT=>$self->{caCert}, @@ -292,10 +294,10 @@ ($self->{status}) = ( $line =~ /^\s*error:([^:]*):/ ); } - next if( $line != /^depth/i ); + next if( $line !~ /^depth/i ); ( $currentDepth, $serial, $dn ) = - ( $line =~ /depth:([\d]+) serial:([a-f\d]+) subject:(.*)/ ); + ( $line =~ /depth:([\d]+) serial:([a-fA-F\d]+) subject:(.*)/ ); $ret->{$currentDepth}->{SERIAL} = hex ($serial) ; $ret->{$currentDepth}->{DN} = $dn; --- openca-0.9.1.3/src/common/lib/functions/crypto-utils.lib 2002-12-22 13:08:19.000000000 +0100 +++ openca-0.9.1.4/src/common/lib/functions/crypto-utils.lib 2003-11-26 13:04:50.000000000 +0100 @@ -176,19 +176,36 @@ return undef; } - ## Get signer certificate from the pkcs7 structure - $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell, - DATA => $sig->getSigner()->{CERTIFICATE}); - - if( not $sigCert ) { - $errno = 6103; - $errval = i18nGettext ("Signer's certificate is corrupt!\nOpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).", - "__ERRNO__", $OpenCA::X509::errno, - "__ERRVAL__", $OpenCA::X509::errval); - return undef; + ## Get signer certificate chain from the pkcs7 structure + my @chain = split /-----END CERTIFICATE-----/, + $sig->getSigner()->{CERTIFICATE}; + for (my $i=0; $i < scalar @chain; $i++) + { + if (not $chain[$i]) + { + delete $chain[$i]; + next; + } + $chain[$i] .= "-----END CERTIFICATE-----"; + $chain[$i] =~ s/^.*-----BEGIN CERTIFICATE-----/-----BEGIN CERTIFICATE-----/s; + } + $sigCert = undef; + for (my $i=0; $i < scalar @chain; $i++) + { + $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell, + DATA => $chain[$i]); + if( not $sigCert ) { + $errno = 6103; + $errval = i18nGettext ("Signer's certificate is corrupt!\nOpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).", + "__ERRNO__", $OpenCA::X509::errno, + "__ERRVAL__", $OpenCA::X509::errval); + return undef; + } + last if ( $tmpCert->getSerial() eq $sigCert->getSerial() ); + $sigCert = undef; } - if( $tmpCert->getSerial() ne $sigCert->getSerial() ) { + if( not $sigCert ) { $errno = 6104; $errval = gettext ("Signer's Certificate and DB's Certificate do not match"); return undef; @@ -281,19 +298,8 @@ return undef; } - my $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell, - DATA => $sig->getSigner()->{CERTIFICATE}); - - if (not $sigCert) { - $errno = 6302; - $errval = i18nGettext ("Cannot create X509-object from the certificate of the signer! OpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).", - "__ERRNO__", $OpenCA::X509::errno, - "__ERRVAL__", $OpenCA::X509::errval); - return undef; - } - my $db_cert = $db->getItem( DATATYPE => 'CERTIFICATE', - KEY => $sigCert->getSerial() ); + KEY => $sig->getSigner()->{SERIAL} ); if( not $db_cert ) { $errno = 6303; --- openca-0.9.1.3/src/common/lib/cmds/verifySignature 2003-03-31 15:45:19.000000000 +0200 +++ openca-0.9.1.4/src/common/lib/cmds/verifySignature 2003-11-26 13:04:34.000000000 +0100 @@ -11,7 +11,7 @@ ## Get the Configuration parameters ... my ( $parsed, $lnk, $serLink, $sigInfo, $sigStatus, $signer, $signature); my ( $baseDoc, $info, $sigCertStatus, $def, $dbStatus, $dbMessage); -my ( $myCN, $myEmail, $mySerial, @sigCert, $tmpCert, $pCert ); +my ( $myCN, $myEmail, $mySerial, $tmpCert, $pCert ); ## Get Required Parameters from Configuration my $baseDoc = getRequired ('verifySignatureform'); @@ -53,10 +53,7 @@ $myDN = $signer->{DN}; $myDN =~ s/^\///; $myDN =~ s/\//<BR>/g; -$sigCert = new OpenCA::X509 ( SHELL => $cryptoShell, - DATA => $sign->getSigner()->{CERTIFICATE}); - -$issuerDN = $sigCert->getParsed()->{ISSUER}; +$issuerDN = $sign->getParsed()->{CHAIN}->{1}->{DN}; $issuerDN =~ s/^\///; $issuerDN =~ s/[\/\,]/<BR>/g; ## Check Signature Status @@ -71,7 +68,7 @@ $dbStatus = $errno; $sigStatus = "<FONT COLOR=\"Red\">".gettext("Unknown")."</FONT>"; - $serLink = $sigCert->getSerial(); + $serLink = $sign->getSigner()->{SERIAL}; } else { $sigMessage = gettext("Signature correctly verified"); } @@ -96,11 +93,7 @@ $serLink = $tmpCert->getSerial(); } -if( $sigCert ) { - $pCert = $sigCert->getParsed(); -} elsif ( $tmpCert ) { - $pCert = $tmpCert->getParsed(); -} +$pCert = $tmpCert->getParsed(); ## View the Operator Used Certificate Data $page = $query->subVar( $page, '@DN@', ($myDN or "n/a" ) ); --- openca-0.9.1.3/src/common/lib/cmds/viewSignature 2002-12-10 16:18:15.000000000 +0100 +++ openca-0.9.1.4/src/common/lib/cmds/viewSignature 2003-11-26 13:04:34.000000000 +0100 @@ -11,7 +11,7 @@ ## Get the Configuration parameters ... my ( $parsed, $lnk, $serLink, $sigInfo, $sigStatus, $signer, $signature); my ( $baseDoc, $info, $sigCertStatus, $def, $dbStatus, $dbMessage); -my ( $myCN, $myEmail, $mySerial, @sigCert, $tmpCert, $pCert ); +my ( $myCN, $myEmail, $mySerial, $tmpCert, $pCert ); my $dataType = $query->param('dataType' ); my $key = $query->param('key'); @@ -54,9 +54,6 @@ name=>"EMAIL", value=>$signer->{DN_HASH}->{EMAILADDRESS}[0]} ); $myEmail = $lnk->a({-href=>$lnk->self_url()}, $signer->{DN_HASH}->{EMAILADDRESS}[0]); -$sigCert = new OpenCA::X509 ( SHELL => $cryptoShell, - DATA => $signature->getSigner()->{CERTIFICATE}); - ## Check Signature Status if( not libCheckSignature( SIGNATURE=>$signature ) ) { $sigStatus = "<FONT COLOR=\"Red\">".gettext("Error")."</FONT>"; @@ -105,7 +102,7 @@ $serLink = $lnk->a({-href=>$lnk->self_url()}, $tmpCert->getSerial() ); - $decSerLink = "( " . hex( $sigCert->getSerial() ) . " )"; + $decSerLink = "( " . hex( $tmpCert->getSerial() ) . " )"; $lnk = new CGI({cmd => "search", dataType => "CERTIFICATE", @@ -114,11 +111,7 @@ $myEmail = $lnk->a({-href=>$lnk->self_url()}, $tmpCert->getParsed()->{EMAILADDRESS}); } -if( $sigCert ) { - $pCert = $sigCert->getParsed(); -} elsif ( $tmpCert ) { - $pCert = $tmpCert->getParsed(); -} +$pCert = $tmpCert->getParsed(); ## View the Operator Used Certificate Data $page = $query->subVar( $page, '@CN@', ($myCN or "n/a" ) ); -----END PATCH----- References ------------ The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0960 to this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0960 URL for this Security Advisory: http://www.openca.org/news/CAN-2003-0960.txt |
From: <ope...@li...> - 2003-01-07 22:41:06
|
OpenCA 0.9.1 RELEASED - Developer Release ========================================= OpenCA - The Open Certification Authority Toolkit (http://www.openca.org) The OpenCA core team wants to announce the newly issued Release of the OpenCA software. OpenCA Project Overview: ======================== The OpenCA Project is a collaborative effort to develop a robust, full featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project's httpd, mod_ssl. The project development is divided into two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority. Project Status: =============== OpenCA version 0.9.2 Status: Under Development OpenCA version 0.9.1 Status: Released 07 Jan 2003 OpenCA version 0.9.0 Status: Released 12 Aug 2002 OpenCA version 0.8.6 Status: Released 17 Jul 2002 OpenCA version 0.8.1 Status: Released 08 Nov 2001 OpenCA version 0.8.0 Status: Released 02 Nov 2001 OpenCA version 0.6.0 Status: [ Never Released ] OpenCA version 0.2.0 Status: Released 16 Nov 1999 OpenCA Current features: ======================== o Certification Authority can now import requests, list certificate requests, export certs, archive requests, view archived requests, delete requests, issue certificates, verify RA operator identity, export CRL; o Registration Authorities Server can list pending/deleted/archived requests, approve requests, export requests to removable media, import new certs from removable media, import CRLs, export CA certificate to LDAP, export CRLs to LDAP, initialize LDAP, export client certificates to LDAP; o Public server can list pending requests, accept PKCS#10 certification requests, accept SPKAC certification requests, accept IE certification requests, deliver issued certificates to users, deliver issued CRLs to users, display CRLs, list users' certificates; Core developers' Tasks: ======================= Massimiliano Pala is currently working on: o OCSP responder development/integration o Smart Cards integration o SCEP support and integration o XML interfaces Michael Bell is currently working on: o DBI module updating (DB2/Oracle/Postgress/MySQL support) o RBAC Module (Role Based Management) o Revocation Process engeneering through the use of CRIN codes (Certificate Revocation PIN) o LDAP support improving o Export-Import utils o i18n o RPMS OpenCA differences between previous release (0.9.0): ===================================================== o I18N support added: - English language supported - German language supported - Spanish language supported o IE-fixes: - fixed getcert - download of certificates from other users via the pub-gw works - rewrite the requestgeneration for IE because of some problems with Siemens CardOS CSP - integrated security-fix of Microsoft for MS02-48 o RBAC: - deactivated debugging in rbac-utils.lib - removed conf-file for raServerInfo - added conf-file for serverInfo - security bugfix against misconfiguration of mod_ssl - some signatures will no longer used because they bring us no additional security o Batch Processors: - keybackup integrated into batchprocessor (still alpha) - PINs in the batchprocessors are now encrypted o DBMS: - explicit commit and rollback for SQL-databases - fixed DBI because MySQL is really sensitive for blanks between functions and parenthesis - cleanup interface of OpenCA::DBI (DB2 works again) and avoid crashes of the web interfaces if databases are down - fixed status bug in OpenCA::DBI (EXPIRED works now) - fixed several problems in OpenCA::DB o Miscellaneous: - fixed serials in the DN (now the user see only decimal numbers) - fixed the signatureverification - use strict; in all webinterfaces - several performance enhancements in OpenCA::REQ and OpenCA::X509 to speedup lists - new export/import system supports incremental exports - support for HSMs added (Chrysalis-ITS Luna CA3) - special thanks to Bahaaldin Al-Amood <bal...@vt...> - certificates cannot have a longer lifetime then the CA-cert now - added special CRL-generation - LDAP v3 supported - perl 5.8 supported Notes: ====== This release still is a developer-only version. Please refer to our web site on how to contribute to the project: you are strongly encouraged to contribute to the project so as to speed up community driven development, the best. Mailing lists are also available. Software Availability ===================== We consider the announced version the most reliable one, and we encourage users of older ones to upgrade their packages. Corrently you can find archives at our web site http://www.openca.org/openca or at our ftp server ftp://ftp.openca.org. Mirrors list: o take a look at http://www.openca.org/openca/mirrors.shtml We hope you find this software useful and to receive many comments and/or proposal and/or code coming from the users' community. Mirroring Notes =============== If you plan to mirror us, please let us know as to make your ftp site available among the mirrors list. Contacts ======== To contact us, please visit our web site where you will find any information on how to send your comments to us. Massimiliano Pala - OpenCA PKI development Team - |
From: <ope...@li...> - 2002-09-24 09:45:52
|
OpenCA 0.9.0 RELEASED - Developer Release ========================================= OpenCA - The Open Certification Authority Toolkit (http://www.openca.org) The OpenCA core team wants to announce the newly issued Release of the OpenCA software. OpenCA Project Overview: ======================== The OpenCA Project is a collaborative effort to develop a robust, full featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project's httpd, mod_ssl. The project development is divided into two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority. Project Status: =============== OpenCA version 0.9.1 Status: Release Candidate 5 OpenCA version 0.9.0 Status: Released 12 Aug 2002 OpenCA version 0.8.6 Status: Released 17 Jul 2002 OpenCA version 0.8.1 Status: Released 08 Nov 2001 OpenCA version 0.8.0 Status: Released 02 Nov 2001 OpenCA version 0.6.0 Status: [ Never Released ] OpenCA version 0.2.0 Status: Released 16 Nov 1999 OpenCA Current features: ======================== o Certification Authority can now import requests, list certificate requests, export certs, archive requests, view archived requests, delete requests, renew requests, issue certificates, revoke certificates, verify RA operator identity, export CRL o Online Administration server can initialize the online-database, import certificates, mail and CRLs from removable media, export certificate signing and revocation requests, automatically update LDAP during import, send prepared emails automatically and manually o Registration Authority can list pending/deleted/archived requests, edit requests, approve requests, delete requests, send email to user, download private keys and certificate in PKCS#12-, PKCS#8- and SSLeay-format o LDAP manangement interface can export CA certificate to LDAP, export CRLs to LDAP, initialize LDAP, export client certificates to LDAP, remove certificates from LDAP o Public server can list pending requests, accept PKCS#10 certification requests, accept SPKAC certification requests, accept IE certification requests, generate certification requests, deliver issued certificates to users, deliver issued CRLs to users, display CRLs, list users' certificates, test certificates; Core developers' Tasks: ======================= Massimiliano Pala is currently working on: o OCSP responder development/integration; o Smart Cards integration; o RPMs; Michael Bell is currently working on: o DBI module updating (DB2/Oracle/Postgress/MySQL support) o RBAC (Role Based Access Control) o Revocation Process engineering through the use of CRIN codes (Certificate Revocation PIN) and signing o LDAP support improving o Export-Import utils o Batchprocessors including support for keyrecovery OpenCA differences between previous release (0.8.6): ===================================================== o complete initialization through the webinterface o serverside requestgeneration for support of browsers which cannot create requests o support for keygeneration by the RA (some people want to distribute smartcards directly via their RA) o full support for CRRs o certificate signing requests and the resulting certificates are linked to eachother o support for Windows 2000 smartcardlogin was tested Notes: ====== This release still is a developer-only version. Please refer to our web site on how to contribute to the project: you are strongly encouraged to contribute to the project so as to speed up community driven development, the best. Mailing lists are also available. Software Availability ===================== We consider the announced version the most reliable one, and we encourage users of older ones to upgrade their packages. Corrently you can find archives at our web site ftp://ftp.openca.org. Mirrors list: o take a look at http://www.openca.org/openca/mirrors.shtml We hope you find this software useful and to receive many comments and/or proposal and/or code coming from the users' community. Mirroring Notes =============== If you plan to mirror us, please let us know as to make your ftp site available among the mirrors list. Contacts ======== To contact us, please visit our web site where you will find any information on how to send your comments to us. Massimiliano Pala - OpenCA PKI development Team - |
From: <ope...@li...> - 2001-11-08 11:49:07
|
OpenCA New Release Announcement: ================================ OpenCA Project Overview: ======================== The OpenCA Project is a collaborative effort to develop a robust, full featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project's httpd, mod_ssl. The project development is divided into two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority. Project Status: =============== OpenCA version 0.9.0 Status: Developing OpenCA version 0.8.0 Status: Released 02 Nov 2001 OpenCA version 0.8.0 Status: Released 02 Nov 2001 OpenCA version 0.6.0 Status: [ Never Released ] OpenCA version 0.2.0 Status: Released 16 Nov 1999 OpenCA Current features: ======================== o Certification Authority can now import requests, list certificate requests, export certs, archive requests, view archived requests, delete requests, issue certificates, verify RA operator identity, export CRL; o Registration Authorities Server can list pending/deleted/archived requests, approve requests, export requests to removable media, import new certs from removable media, import CRLs, export CA certificate to LDAP, export CRLs to LDAP, initialize LDAP, export client certificates to LDAP; o Public server can list pending requests, accept PKCS#10 certification requests, accept SPKAC certification requests, accept IE certification requests, deliver issued certificates to users, deliver issued CRLs to users, display CRLs, list users' certificates; OpenCA differences to previous release (0.8.0): =============================================== o Fixed some Makefile errors on Solaris o Added (missing) getcert command on public server o Fixed LDAP certificate adding (sn) o Fixed provided OpenSSL extfiles (certificate extensions profiles) o Fixed link on public server for retrieving CA certificate References: =========== The OpenCA Project main website can be found at http://www.openca.org (or at http://openca.sourceforge.net). You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: ftp://ftp.openca.org ftp://openca.sourceforge.net/pub/openca (soon removed) or from one of the official mirrors: http://www.openca.org/openca/mirrors.shtml Massimiliano Pala OpenCA PKI development Group |
From: <ope...@li...> - 2001-11-02 15:27:04
|
OpenCA Project Overview: ======================== The OpenCA Project is a collaborative effort to develop a robust, full featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project's httpd, mod_ssl. The project development is divided into two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority. Project Status: =============== OpenCA version 0.9.0 Status: Developing OpenCA version 0.8.0 Status: Released 02 Nov 2001 OpenCA version 0.6.0 Status: [ Never Released ] OpenCA version 0.2.0 Status: Released 16 Nov 1999 OpenCA Current features: ======================== o Certification Authority can now import requests, list certificate requests, export certs, archive requests, view archived requests, delete requests, issue certificates, verify RA operator identity, export CRL; o Registration Authorities Server can list pending/deleted/archived requests, approve requests, export requests to removable media, import new certs from removable media, import CRLs, export CA certificate to LDAP, export CRLs to LDAP, initialize LDAP, export client certificates to LDAP; o Public server can list pending requests, accept PKCS#10 certification requests, accept SPKAC certification requests, accept IE certification requests, deliver issued certificates to users, deliver issued CRLs to users, display CRLs, list users' certificates; OpenCA differences to previous release (0.2.0): =============================================== o Modularization process completed. OpenCA now uses a series of modules to easily code organization and handling of pki related objects (such as certificates, crl, requests, etc...). o Added support for Internet Explorer for requesting certificates. o Stripped off the EMAIL field from certificates (default behaviour, this could be avoided by editing the email_in_dn parameter in the provided openssl configuration file); o Initial Certificate extensions management. Actually it is possible to add new certificates profiles (using openssl extfiles). This gives the possibility both to the RA Operator and to the CA Operator to choose the certificate's profile to be used. o Added support for managing DNs before approving a request. o LDAP support included using new perl-ldap module over the Net-LDAPApi one. We have decided to move to the perl-ldap module because of many problems found when installing the old Net-LDAPApi module as this is no more supported and incompatibility issues arise with openldap 2.xx versions. o DB backend support added for PKI related objects. The DB backend currently has support for file-based DBMs and for SQL DBMs (mySql, Oracle, DB2, Postgres). o DBMs backend initialization is web-based both on the RAServer and on the CA. o Installation now uses autoconf scripts. The autoconf script usage is aimed towards the easy of the installation process on different platforms. o Enabled RA Operator's signature verification before issuing the new certificate (uses the openca-verify command of the OpenCA-SV package). o Bugfixing. References: =========== The OpenCA Project main website can be found at http://www.openca.org (or at http://openca.sourceforge.net). You can find all current versions and available documentation there. You can also download any part of the software or documentation also at the official ftp site: ftp://ftp.openca.org ftp://openca.sourceforge.net/pub/openca (soon removed) or from one of the official mirrors: http://www.openca.org/openca/mirrors.shtml OpenCA Developers Group --o------------------------------------------------------------------------- Massimiliano Pala [OpenCA Project Manager] ma...@cp... ma...@op... ma...@ha... http://www.openca.org Tel.: +39 (0)59 270 094 http://openca.sourceforge.net Mobile: +39 (0)347 7222 365 |
From: <ope...@li...> - 2001-10-16 15:49:08
|
Hi all, new web pages have been published. The web address are: http://www.openca.org (for OpenCA LABS) and http://www.openca.org/openca (for PKI devel) Let us know if there are problems when accessing the web pages or if you find navigation difficoult or not clear. -- C'you, Massimiliano Pala --o------------------------------------------------------------------------- Massimiliano Pala [OpenCA Project Manager] ma...@cp... ma...@op... ma...@ha... http://www.openca.org Tel.: +39 (0)59 270 094 http://openca.sourceforge.net Mobile: +39 (0)347 7222 365 |