Menu
▾
▴
openca-announce — Releases and important topics announcements. Low-traffic, restricted posts.
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(2) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2003 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2004 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Announcements a. p. n. <ope...@li...> - 2011-02-11 16:43:14
|
Dear OpenCA Community,
The OpenCA Labs and the LibPKI Team announce the availability of the new
version of the LibPKI package (Viper/v0.6.3).
Project Overview:
=================
The LibPKI Project is aimed to provide an easy-to-use PKI library for
PKI enabled application development. The library provides the developer
with functionalities to manage Public Key Certificates, from generation
to validation.
The LibPKI Project enables developers with the possibility to implement
complex cryptographic operations with a few simple library calls by
implementing an high-level cryptographic API.
The library constitutes the core of many other projects at OpenCA Labs
(e.g., PRQP Server, OCSP Responder, and OpenCA-NG). We provide it as a
separate package to enable application developers to easily integrate
X509 digital certificates in their own applications.
Currently we support for OpenSSL libraries as low-level crypto provider.
Project Status:
===============
o [10 Feb 2011] v0.6.3/Viper release is available for download
o [17 Nov 2010] v0.6.1/Turkey release is available for download
o [02 Sep 2010] v0.5.1/zoiberg release is available for download
o [27 Aug 2010] v0.5.0/lulu release is available for download
o [24 Mar 2010] v0.4.1/tiger2 release available for download
o [19 Apr 2009] v0.3.0/tiger release available for download
o [16 Jan 2009] v0.2.0/shark release available for download
o [20 Mar 2008] Third release available for download (libpki v0.1.9)
o [25 Oct 2007] Second release available for download (libpki v0.1.8)
o [23 Mar 2007] First initial code available for download (libpki v0.1.1)
Major Changes and Fixes:
========================
o Added pki-cert tool to view/manipulate certificates
o Added PKI_ALGORITHM data structures for initializing X509 algorithm
identifiers
o Fixed name comparison for certificate profile loading
o Fixed URL input management for stdin, stdout, stderr file stream
o Fixed rpath config on Solaris/OpenSolaris
o Added PKI_KEYPARAMS structure to pass key generation parameters to HSMs
o Added compressed/uncompressed encoding options for EC keys
o Fixed default validity in pki-tool
o Added profile/keyParams section parsing in profiles configuration files
(PKI_TOKEN)
o Updated default key min/suggested sizes
o Improved pki-tool command line tool (added params for EC key generation,
better -batch handling)
o Extended no-case keyUsage and extendedKeyUsage extension parsing in profiles
o Fixed return code in PKI_NET_Listen(). Now it returns PKI_ERR in case of
errors or the socket number (e.g., int > 2 ).
o Fix in PKI_X509_OCSP_RESP_STATUS definition
o Fix in token.c (load config)
o Extended ECDSA support (configuration option) and fixed
ECDSA get Algorithm by Name (now working with ECDSA-SHA1, ECDSA-SHA256,...)
o New library versioning
Current Project developers' Tasks:
==================================
Massimiliano Pala is currently working on:
- Enhancing support for ECDSA;
- Enhancing support for PKCS#11 devices (DSA and ECDSA);
- Extending the Log subsystem to provide signed and verifiable logs;
- Enhancing the PKI_MSG interface
Open Issues:
============
o Extensions management is still not stable for complex exts, the code
needs to be checked and extended
o Support for NSS crypto layer still pending
o Porting to Win32 (provide support for Microsoft Crypto API)
Wishes:
=======
o Let us know (!)
References:
===========
The OpenCA Project main website can be found at
http://www.openca.org/
You can find all current versions and available documentation there. You
can also download any part of the software or documentation also at the
official ftp site:
http://www.openca.org/projects/libpki
http://ftp.openca.org/libpki
or from one of the official mirrors:
http://www.openca.org/mirrors.shtml
Thanks
======
Thank you for supporting the Open Source community by using/contributing to/
reporting bugs/cheering this project! Now go ahead and actively contribute to
make the world a better place!
OpenCA Labs Director,
Massimiliano Pala, Ph.D
|
|
From: Announcements a. p. n. <ope...@li...> - 2010-04-05 19:18:15
|
Dear OpenCA Community, We are experiencing a major web/ftp server failure. Although we have been able to mirror the server in few minutes, some disruptions may occur till we will be able to setup the principal servers again. Due to DNS propagation the usual http://www.openca.org/ could take a few hours to be accessible again. If you are experiencing difficulties in reaching the servers, use one of the following: http://www2.openca.org http://ftp2.openca.org Please report any major inconvenience you might experience. -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] op...@ac... pro...@op... Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov |
|
From: Announcements a. p. n. <ope...@li...> - 2010-03-09 15:46:55
|
Hi OpenCA-ers, the last OpenCA version (v1.1.0) suffered from several bugs and the binary packages were missing some required files. We have fixed the distribution and we encourage you to download it and install it again: http://www.openca.org/projects/openca/ The current version has been patched with the latest bug fixes. If you still have problems with your installation, we suggest you check the OpenCA's WiKi pages at: http://wiki.openca.org/wiki/ to find the latest info about the OpenCA's projects. As always, we thank all the people who provided feedback and helped us to release a new and improved OpenCA PKI software! Thank you all! Dr. Massimiliano Pala - OpenCA Research Labs Director - |
|
From: Announcements a. p. n. <ope...@li...> - 2010-02-25 06:53:50
|
OpenCA PKI v1.1.0 (samba) Release-Announcement
==========================================
OpenCA PKI v1.1.0 (samba) is released on Feb 24th, 2010.
This version improves the older 1.0.2 version by providing fixes for the
known bugs, improving the User Interface, updating the database structure
for future user-management and community-building.
Because of the many changes in the core parts of the project, we suggest
to test the new system before using it in production environments. We
worked hard to release this new version of OpenCA. We hope you will
enjoy our software and find inspiration to collaborate with us and all the
other users to improve OpenCA even more!
OpenCA Project Overview:
========================
The OpenCA Project is a collaborative effort to develop a robust,
full featured and Open Source out-of-the-box Certification Authority
implementing the most used protocols with full-strength cryptography
world-wide. OpenCA is based on many Open Source Projects. Among the
supported software is OpenLDAP, OpenSSL, Apache Project, mod_ssl.
The project development is divided in two main tasks: studying and
refining the security scheme that guarantees the best model to be
used in a CA and developing software to easily setup and manage a
Certification Authority.
Project Status:
===============
OpenCA version 1.1.0 Status: Released 24 Feb 2010 (samba)
OpenCA version 1.0.2 Status: Released 14 Oct 2008 (ten-ten^2)
OpenCA version 1.0.1 Status: Released 10 Oct 2008 (ten-ten)
OpenCA version 0.9.3 Status: Release Candidate 2 (rc2)
OpenCA version 0.9.3 Status: Release Candidate 1 (rc1)
OpenCA version 0.9.2 Status: Released 11 Oct 2004
OpenCA version 0.9.1 Status: Released 03 Jan 2003
OpenCA version 0.9.0 Status: Released 12 Aug 2002
OpenCA version 0.8.6 Status: Released 17 Jul 2002
OpenCA version 0.8.1 Status: Released 08 Nov 2001
OpenCA version 0.8.0 Status: Bug Fixing
OpenCA version 0.6.0 Status: Never Released
OpenCA version 0.2.0 Status: Released
Core developers Tasks:
=======================
Massimiliano Pala is currently working on:
o Integration with OCSP and PRQP servers
o Web-based configuration
o Binary Packages
Open Issues:
============
o Attributes Certificates Support
o
Wishes:
=======
o
References:
===========
The OpenCA Project main website can be found at http://www.openca.org.
You can find all current versions and available documentation there.
You can also download any part of the software or documentation also at
the official ftp site:
http://ftp.openca.org
or from one of the official mirrors:
http://www.openca.org/mirrors.shtml
Massimiliano Pala
- OpenCA Labs Director -
|
|
From: Announcements a. p. n. <ope...@li...> - 2009-05-07 00:39:05
|
Dear OpenCA community, we are trying to understand how to improve the current way that browsers User Interface interact with the users when it comes to PKIs. In particular we are interested in: How to improve the browsers user interface to do so, we need to understand what the users (YOU) think about the current user interfaces. We prepared a very simple survey to unveil the mystery behind what you think! If you would like to help us, and have 5 minutes to spare, please go to our main website and click on the Survey link: http://www.openca.org/ Thank you for your attention, we really hope that you will join our effort in making the PKI world a bit more USABLE each day! Sincerely, Massimiliano Pala OpenCA Labs Director |
|
From: Announcements a. p. n. <ope...@li...> - 2008-10-15 02:28:42
|
OpenCA v1.0.2 (ten-ten^2) Release-Announcement
==============================================
OpenCA v1.0.1 (ten-ten^2) is released on Oct 14th, 2008.
This version fixes a couple of minor bugs in the ten-ten release.
Here we list some of the changes over version 1.0.1:
* Fixed an #include error in OpenCA.xs that prevented ECDSA
to be correctly enabled
* Added a missing keyword in the ca.conf.template configuration
file
* Fixed wrong permissions in binary distributions that prevented
the correct import of data among different PKI components (eg.,
from the CA to the RA)
OpenCA Project Overview:
========================
The OpenCA Project is a collaborative effort to develop a robust,
full featured and Open Source out-of-the-box Certification Authority
implementing the most used protocols with full-strength cryptography
world-wide. OpenCA is based on many Open Source Projects. Among the
supported software is OpenLDAP, OpenSSL, Apache Project, mod_ssl.
The project development is divided in two main tasks: studying and
refining the security scheme that guarantees the best model to be
used in a CA and developing software to easily setup and manage a
Certification Authority.
Project Status:
===============
OpenCA version 1.0.2 Status: Released 14 Oct 2008
OpenCA version 1.0.1 Status: Released 10 Oct 2008
OpenCA version 0.9.3 Status: Release Candidate 2 (rc2)
OpenCA version 0.9.3 Status: Release Candidate 1 (rc1)
OpenCA version 0.9.2 Status: Released 11 Oct 2004
OpenCA version 0.9.1 Status: Released 03 Jan 2003
OpenCA version 0.9.0 Status: Released 12 Aug 2002
OpenCA version 0.8.6 Status: Released 17 Jul 2002
OpenCA version 0.8.1 Status: Released 08 Nov 2001
OpenCA version 0.8.0 Status: Bug Fixing
OpenCA version 0.6.0 Status: Never Released
OpenCA version 0.2.0 Status: Released
Core developers Tasks:
=======================
Massimiliano Pala is currently working on:
o Ease of installation and Interface Usability of OpenCA
o Better support for new browsers and Operating Systems
o Automatic Operation Enhancement
o Web-based configuration
o Binary Packages
Open Issues:
============
o Attributes Certificates Support
o
Wishes:
=======
o
References:
===========
The OpenCA Project main website can be found at http://www.openca.org.
You can find all current versions and available documentation there.
You can also download any part of the software or documentation also at
the official ftp site:
http://ftp.openca.org
or from one of the official mirrors:
http://www.openca.org/mirrors.shtml
Massimiliano Pala
- OpenCA Core Development Team -
--
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
|
|
From: Announcements a. p. n. <ope...@li...> - 2008-10-12 16:43:50
|
Release-Announcement
====================
OpenCA 1.0.1 (ten-ten) is released on Oct 10th, 2008. We added
a lot of new features and we hope the new version will meet many
of the requirements for your CAs.
Here we list some of the major changes over version 0.9.3:
* Added Minimum Certificate Validity Period for Expiring email sending
(automatically)
* Added extensive information in the Auto(*) daemon activation
pages - to explain the available configuration options.
* Finished AutoEmail daemon for automatic E-Mail sending (both
for newly issued certificates and for expiring certificate
warnings)
* Added the possibility for searching for attributes with multiple
values (eg., multiple roles or LOA for certs)
* Finished AutoCRL daemon for issuing CRL automatically
* Added autoEmail daemon (automatic E-Mail sending)
* Fixed loading/saving of parameters for Auto(*) daemons
* Extended report on the status for Auto(*) daemons
* Fixed CRL and Certificates auto status update (valid/expired)
* Added AutoCRL daemon (needs additional work)
* Added new functions to misc-utils.lib for managing process status
verification and parameter configuration save/restore.
* Fixed search of objects and extra-refs for lists
* Fixed DSA and ECDSA e-mail problems (no encryption is supported)
* Fixed retrieval of requested certificates when the key
is generated on the server (eg., a .p12 is returned now)
* Fixed lists (REQ, CERTS, etc... ) display (more readable)
* Added Level of Assurance Checking (Key Algorithm, Key Generation Mode
and Key Size)
* Added support for requestStatus to request configuration for automatically
approved requests (values can be one of NEW, PENDING, or APPROVED)
* Added support for ldaps and starttls for ldap authenticated browser
requests (etc/datasources.xml)
* Added authenticated (via ldap) browser request form (etc/auth_browser_req.xml)
* Added a defaul logo page (instead of software version one)
* Added support for the new certificate request form for CA initialization
* Fixed a space-tolerance in RDNs
* Simplified the Certificate Request Page
* Added more configurable and simplified certificate request form
(etc/browser_req.xml)
* Updated script code (no more VB - only javascript)
* Added Vista Support (IE7) for certificate request
* Added DC fields in CA Certificate Request
* Added possibility to specify the subjectAltName via the CA
interface when self-signing the CA certificate
* Fixed Browser and OS recognition in initCGI
* Fixed DN parsing in OpenSSL.pm and REQ.pm to allow bogus DNs
from Windows 2003 server (problem reported by Dmitrij Mironov)
* Added LDAP protocol version selection in config.xml (default 3)
* Added possibility to generate DSA keys, reqs, and certs via
the web interface (eg., for RA/CA operators)
* Added CRL Revocation Code in CRRs
* Fixed several errors in the default RBAC definitions (ACL)
* Fixed name extension when sending .p12 files to the user
* Applied patch from Alexander Klink (cross-site scripting security fix)
* Fixed generation of index.txt file (thanks to Diego de Felice)
* Fixed --with-service-email-account (thanks to Robert Nelson)
* Eliminated debugging info when web-signing (thx to Robert Nelson)
* Added ca_organization, ca_locality, ca_state and ca_country in
etc/config.xml using configure
* Fixed cleanup of directories and ext-modules dependecies
* Fixed menu generation issue that would prevent Safari from
correctly navigating the menu
OpenCA Project Overview:
========================
The OpenCA Project is a collaborative effort to develop a robust,
full featured and Open Source out-of-the-box Certification Authority
implementing the most used protocols with full-strength cryptography
world-wide. OpenCA is based on many Open Source Projects. Among the
supported software is OpenLDAP, OpenSSL, Apache Project, mod_ssl.
The project development is divided in two main tasks: studying and
refining the security scheme that guarantees the best model to be
used in a CA and developing software to easily setup and manage a
Certification Authority.
Project Status:
===============
OpenCA version 1.0.1 Status: Released 10 Oct 2008
OpenCA version 0.9.3 Status: Release Candidate 2 (rc2)
OpenCA version 0.9.3 Status: Release Candidate 1 (rc1)
OpenCA version 0.9.2 Status: Released 11 Oct 2004
OpenCA version 0.9.1 Status: Released 03 Jan 2003
OpenCA version 0.9.0 Status: Released 12 Aug 2002
OpenCA version 0.8.6 Status: Released 17 Jul 2002
OpenCA version 0.8.1 Status: Released 08 Nov 2001
OpenCA version 0.8.0 Status: Bug Fixing
OpenCA version 0.6.0 Status: Never Released
OpenCA version 0.2.0 Status: Released
Core developers Tasks:
=======================
Massimiliano Pala is currently working on:
o Ease of installation and Interface Usability of OpenCA
o Better support for new browsers and Operating Systems
o Automatic Operation Enhancement
o Web-based configuration
o Binary Packages
Open Issues:
============
o Attributes Certificates Support
o
Wishes:
=======
o
References:
===========
The OpenCA Project main website can be found at http://www.openca.org.
You can find all current versions and available documentation there.
You can also download any part of the software or documentation also at
the official ftp site:
http://ftp.openca.org
or from one of the official mirrors:
http://www.openca.org/mirrors.shtml
Massimiliano Pala
- OpenCA Core Development Team -
--
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
|
|
From: Announcements a. p. n. <ope...@li...> - 2007-04-03 22:48:30
|
Announcement:
=============
The OpenCA Team announce the availability of the new project LibPRQP and initial
source code:
Current Version: v0.0.1 (Initial Source Code)
Project Overview:
=================
The LibPRQP package is aimed to provide a PRQP enabling library which can be used
by applications in order to discover PKI services and repositories.
With the deployment of new applications and services, the need to access PKI
resources provided by different organizations is critical. Regrettably, still today
each application needs to be told about how to find these services for each new
certificate it encounters.
The basic concept of the protocol is to provide a method to answer to the question
"where is resource X URL from this CA ?". The resources might be items that are
(occasionally) embedded in certificates today-such as URLs for CRLs or OCSP or
SCVP-as well as items such as addresses of the CA homepage address, the subscription
service, or the revocation request.
Project Status:
===============
o [03 Apr 2007] First initial code available for download (libprqp v0.0.1)
Current Project developers' Tasks:
==================================
Massimiliano Pala is currently working on:
- Cleaning up code;
- Adding easy-to-use PRQP calls;
- Editing the documentation;
- Working at an Internet draft to submit to IETF;
Open Issues:
============
o Many, the code is stable but needs extension
Wishes:
=======
o Let us know (!)
References:
===========
The OpenCA Project main website can be found at
http://www.openca.org/
You can find all current versions and available documentation there. You
can also download any part of the software or documentation also at the
official ftp site:
http://www.openca.org/projects/libprqp
http://ftp.openca.org/libprqp
or from one of the official mirrors:
http://www.openca.org/mirrors.shtml
Thanks
======
Thank you for supporting the Open Source community by using/contributing to/
reporting bugs/cheering this project! Now go ahead and actively contribute to
make the world a better place!
- The OpenCA Team -
|
|
From: Announcements a. p. n. <ope...@li...> - 2007-03-26 02:00:01
|
Announcement:
=============
The OpenCA Team announce the availability of the first version of the LibPKI
library:
Current Version: v0.1.1 (Initial Code)
Project Overview:
=================
The LibPKI Project is aimed to provide an easy-to-use PKI library for PKI enabled
application development. The library provides the developer with all the needed
functionality to manage Public Key Certificates, from generation to validation.
The LibPKI Project enables developers with the possibility to implement complex
cryptographic operations with a few simple function calls by implementing an
high-level cryptographic API.
The library constitutes the core of the OpenCA-NG Project, anyway we provide it
as a separate package in order to encourage applications developers to use it in
their packages.
Currently support for OpenSSL and KMF libraries is provided as low-level crypto
provider.
Project Status:
===============
o [23 Mar 2007] First initial code available for download (libpki v0.1.1)
Current Project developers' Tasks:
==================================
Massimiliano Pala is currently working on:
- Adding support for PKI_TOKEN interface;
- Adding XML support for certificate/request profiles;
- Adding support for XML configuration support;
Open Issues:
============
o Many, the code is stable but needs extensio
Wishes:
=======
o Let us know (!)
References:
===========
The OpenCA Project main website can be found at
http://www.openca.org/
You can find all current versions and available documentation there. You
can also download any part of the software or documentation also at the
official ftp site:
http://www.openca.org/projects/libpki
http://ftp.openca.org/libpki
or from one of the official mirrors:
http://www.openca.org/mirrors.shtml
Thanks
======
Thank you for supporting the Open Source community by using/contributing to/
reporting bugs/cheering this project! Now go ahead and actively contribute to
make the world a better place!
- The OpenCA Team -
|
|
From: Announcements a. p. n. <ope...@li...> - 2006-10-21 20:08:09
|
Announcement:
=============
The OpenCA OCSPD Team announce the availability of the last version of
the OCSP responder:
Current Version: 1.5.1-rc1 (Release Candidate 1)
Project Overview:
=================
The OpenCA OCSPD project is aimed to develop a robust and easy-to-install
OCSP daemon. The server is developed as a stand-alone application and can
be integrated into many different PKI solutions as it does not depend on
specific database scheme. Furthermore it can be used as a responder for
multiple CAs.
The OCSP Responder is an rfc2560 compliant OCSPD responder. The purpose of
such a server is to provide an on-line tool to verify the status of a
certificate (such as Mozilla/Firefox/Netscape7).
The Responder was included into the main OpenCA distribution package. It is
also possible to install the daemon as a stand-alone application, all you
will need is a CRL (or access to an LDAP server where to get the CRL from).
Project Status:
===============
OpenCA OCSPD version 1.5.1 Status: rc1 available [21 Oct 2006]
OpenCA OCSPD version 1.1.1 Status: Released [19 Jul 2006]
OpenCA OCSPD version 1.1.0 Status: rc1 available [05 Nov 2005]
OpenCA OCSPD version 1.0.5 Status: Released [29 Aug 2005]
OpenCA OCSPD version 1.0.3 Status: Released [28 Apr 2005]
OpenCA OCSPD version 1.0.2 Status: Released [19 Apr 2005]
OpenCA OCSPD version 0.6.5 Status: Released [28 Jan 2005]
OpenCA OCSPD version 0.6.4 Status: Released [18 Jan 2005]
OpenCA OCSPD version 0.6.2 Status: Released [04 Jan 2005]
OpenCA OCSPD version 0.6.1 Status: Released [28 Oct 2004]
OpenCA OCSPD version 0.5.0 Status: Released [14 May 2004]
OpenCA OCSPD version 0.4.0 Status: Released [21 Feb 2003]
OpenCA OCSPD version 0.3.0 Status: Released [18 Feb 2003]
Current Project developers' Tasks:
==================================
Massimiliano Pala is currently working on:
o Multiple certificate/keys usage for different CA;
o pthread() support;
o Debugging;
Open Issues:
============
o Compliance to RFC-2560 when multiple CAs are configured
Wishes:
=======
o
References:
===========
The OpenCA Project main website can be found at
http://www.openca.org/projects/ocspd
You can find all current versions and available documentation there. You
can also download any part of the software or documentation also at the
official ftp site:
ftp://ftp.openca.org/pub/ocspd/current/
or from one of the official mirrors:
http://www.openca.org/mirrors.shtml
Thanks
======
Thank you for supporting the Open Source community by using/contributing to/
reporting bugs/cheering this project! Now go ahead and actively contribute to
make the world a better place!
- The OpenCA OCSPD Team -
|
|
From: <ope...@li...> - 2004-05-03 07:16:02
|
Dear Open Source developer I am doing a research project on "Fun and Software Development" in which I kindly invite you to participate. You will find the online survey under http://fasd.ethz.ch/qsf/. The questionnaire consists of 53 questions and you will need about 15 minutes to complete it. With the FASD project (Fun and Software Development) we want to define the motivational significance of fun when software developers decide to engage in Open Source projects. What is special about our research project is that a similar survey is planned with software developers in commercial firms. This procedure allows the immediate comparison between the involved individuals and the conditions of production of these two development models. Thus we hope to obtain substantial new insights to the phenomenon of Open Source Development. With many thanks for your participation, Benno Luthiger PS: The results of the survey will be published under http://www.isu.unizh.ch/fuehrung/blprojects/FASD/. We have set up the mailing list fa...@we... for this study. Please see http://fasd.ethz.ch/qsf/mailinglist_de.html for registration to this mailing list. _______________________________________________________________________ Benno Luthiger Swiss Federal Institute of Technology Zurich 8092 Zurich Mail: benno.luthiger(at)id.ethz.ch _______________________________________________________________________ |
|
From: <ope...@li...> - 2004-01-16 17:36:04
|
OpenCA Security Advisory [16 January 2004]
Vulnerability in signature validation
=====================================
A flaw in OpenCA before version 0.9.1.7 could cause OpenCA to accept a
signature from a certificate if the certificate's chain is trusted by
the chain directory of OpenCA. This means that a certificate from
another PKI can authorize operations on the used PKI if the chain of the
used signature certifcate can establish a trust relationship to the
actually used PKI.
Alexandru Matei found the bug during a source code verification.
Alexandru Matei and Michael Bell of the OpenCA core team fixed the
problem for OpenCA 0.9.1 and the CVS HEAD.
Vulnerability
-----------------
OpenCA has a library for common crypto operations - crypto-utils.lib.
This library includes a function to check a signature
(libCheckSignature). The function load the used signature certificate
from OpenCA's database and finally ensures that the used signature
certificate is identical with the certificate in the database.
The comparison of the certificate in the database and the certificate
of the signer was only performed on base of the serial of the
certificate. The design of the function can cause the acceptance
of a signature if the chain of the signature can create a
trustrelationship to the chain directory of OpenCA and a certificate
with a matching serial exists in the used PKI.
Who is affected?
------------------
All version of OpenCA including 0.9.1.6. A security risk is present for
people who are using digital signatures to secure approved requests
or role based access control (RBAC).
Recommendations
-----------------
Upgrade to 0.9.1.7 and use newer snapshots than
openca-SNAP-20040114.tar.gz. You can fix the problem by yourself too
with the included patch. The original file which we used to create
the diff is from OpenCA 0.9.1.6.
-----BEGIN PATCH-----
--- src/common/lib/functions/crypto-utils.lib 2004-01-15
12:10:45.000000000 +0100
+++ src/common/lib/functions/crypto-utils.lib.new 2004-01-15
12:10:06.000000000 +0100
@@ -201,7 +201,7 @@
"__ERRVAL__",
$OpenCA::X509::errval);
return undef;
}
- last if ( $tmpCert->getSerial() eq $sigCert->getSerial() );
+ last if ( $tmpCert->getPEM() eq $sigCert->getPEM() );
$sigCert = undef;
}
-----END PATCH-----
References
------------
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0004 to this issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0004
URL for this Security Advisory:
http://www.openca.org/news/CAN-2004-0004.txt
|
|
From: <ope...@li...> - 2003-11-28 12:03:40
|
OpenCA Security Advisory [28 November 2003]
Vulnerabilities in signature validation
=======================================
Multiple flaws in OpenCA before version 0.9.1.4 could cause OpenCA to
use an incorrect certificate in the chain to determine the serial being
checked which could lead to certificates that are revoked or expired
being incorrectly accepted.
Chris Covell and Gottfried Scheckenbach performed tests with OpenCA and
CA hierarchies. They had problems to verify signatures with some
functions in OpenCA which test the signer's certificate.
Michael Bell of the OpenCA core team identified and fixed the problems
for OpenCA 0.9.1 and the CVS HEAD.
Vulnerabilities
-----------------
1. OpenCA has a library for common crypto operations - crypto-utils.lib.
This library includes a function to determine the serial of the
certificate which somebody used to create a PKCS#7 signature. The
function uses this serial to load and return the certificate. The
function used the interface of OpenCA::PKCS7 (the OpenCA PKCS#7
module) in a wrong way.
2. The crypto library crypto-utils.lib uses all certificates which were
included into the signature to create the X.509 object of the
signer's certificate. The result is a object which was created from
one of the certificates of the certificate chain. This means that
the result is haphazard.
3. OpenCA::PKCS7 includes a wrong regular expression to detect lines
which have nothing to do with the parsing of the certificate chain.
4. The serial in the certificate chain were parsed with a wrong regular
expression in OpenCA::PKCS7. Big letters like A, C, B, D, E and F
were ignored.
Who is affected?
------------------
All version of OpenCA including 0.9.1.3. A security risk is present for
people who are using digital signatures to secure approved requests
or role based access control (RBAC).
Recommendations
-----------------
Upgrade to 0.9.1.4 and use newer snapshots than
openca-0.9-SNAP-20031125.tar.gz. You can fix the problem by yourself too
with the included patches. The original files which we used to create
the diffs are from OpenCA 0.9.1.3.
-----BEGIN PATCH-----
--- openca-0.9.1.3/src/modules/openca-pkcs7/PKCS7.pm 2002-09-10
16:42:02.000000000 +0200
+++ openca-0.9.1.4/src/modules/openca-pkcs7/PKCS7.pm 2003-11-26
15:54:08.000000000 +0100
@@ -69,7 +69,7 @@
our ($errno, $errval);
-($OpenCA::PKCS7::VERSION = '$Revision: 1.12 $' )=~ s/(?:^.*:
(\d+))|(?:\s+\$$)/defined $1?"0\.9":""/eg;
+($OpenCA::PKCS7::VERSION = '$Revision: 1.12.2.1 $' )=~ s/(?:^.*:
(\d+))|(?:\s+\$$)/defined $1?"0\.9":""/eg;
my %params = (
inFile => undef,
@@ -167,6 +167,8 @@
my ( $ret, $tmp );
+ return $self->{parsed} if ($self->{parsed});
+
$tmp = $self->{backend}->verify( SIGNATURE=>$self->{signature},
DATA_FILE=>$self->{dataFile},
CA_CERT=>$self->{caCert},
@@ -292,10 +294,10 @@
($self->{status}) = ( $line =~
/^\s*error:([^:]*):/ );
}
- next if( $line != /^depth/i );
+ next if( $line !~ /^depth/i );
( $currentDepth, $serial, $dn ) =
- ( $line =~ /depth:([\d]+) serial:([a-f\d]+)
subject:(.*)/ );
+ ( $line =~ /depth:([\d]+) serial:([a-fA-F\d]+)
subject:(.*)/ );
$ret->{$currentDepth}->{SERIAL} = hex ($serial) ;
$ret->{$currentDepth}->{DN} = $dn;
--- openca-0.9.1.3/src/common/lib/functions/crypto-utils.lib
2002-12-22 13:08:19.000000000 +0100
+++ openca-0.9.1.4/src/common/lib/functions/crypto-utils.lib
2003-11-26 13:04:50.000000000 +0100
@@ -176,19 +176,36 @@
return undef;
}
- ## Get signer certificate from the pkcs7 structure
- $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,
- DATA => $sig->getSigner()->{CERTIFICATE});
-
- if( not $sigCert ) {
- $errno = 6103;
- $errval = i18nGettext ("Signer's certificate is
corrupt!\nOpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).",
- "__ERRNO__", $OpenCA::X509::errno,
- "__ERRVAL__", $OpenCA::X509::errval);
- return undef;
+ ## Get signer certificate chain from the pkcs7 structure
+ my @chain = split /-----END CERTIFICATE-----/,
+ $sig->getSigner()->{CERTIFICATE};
+ for (my $i=0; $i < scalar @chain; $i++)
+ {
+ if (not $chain[$i])
+ {
+ delete $chain[$i];
+ next;
+ }
+ $chain[$i] .= "-----END CERTIFICATE-----";
+ $chain[$i] =~ s/^.*-----BEGIN
CERTIFICATE-----/-----BEGIN CERTIFICATE-----/s;
+ }
+ $sigCert = undef;
+ for (my $i=0; $i < scalar @chain; $i++)
+ {
+ $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,
+ DATA => $chain[$i]);
+ if( not $sigCert ) {
+ $errno = 6103;
+ $errval = i18nGettext ("Signer's certificate is
corrupt!\nOpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).",
+ "__ERRNO__",
$OpenCA::X509::errno,
+ "__ERRVAL__",
$OpenCA::X509::errval);
+ return undef;
+ }
+ last if ( $tmpCert->getSerial() eq $sigCert->getSerial() );
+ $sigCert = undef;
}
- if( $tmpCert->getSerial() ne $sigCert->getSerial() ) {
+ if( not $sigCert ) {
$errno = 6104;
$errval = gettext ("Signer's Certificate and DB's
Certificate do not match");
return undef;
@@ -281,19 +298,8 @@
return undef;
}
- my $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,
- DATA =>
$sig->getSigner()->{CERTIFICATE});
-
- if (not $sigCert) {
- $errno = 6302;
- $errval = i18nGettext ("Cannot create X509-object from
the certificate of the signer! OpenCA::X509 returns errorcode __ERRNO__
(__ERRVAL__).",
- "__ERRNO__", $OpenCA::X509::errno,
- "__ERRVAL__", $OpenCA::X509::errval);
- return undef;
- }
-
my $db_cert = $db->getItem( DATATYPE => 'CERTIFICATE',
- KEY => $sigCert->getSerial() );
+ KEY => $sig->getSigner()->{SERIAL} );
if( not $db_cert ) {
$errno = 6303;
--- openca-0.9.1.3/src/common/lib/cmds/verifySignature 2003-03-31
15:45:19.000000000 +0200
+++ openca-0.9.1.4/src/common/lib/cmds/verifySignature 2003-11-26
13:04:34.000000000 +0100
@@ -11,7 +11,7 @@
## Get the Configuration parameters ...
my ( $parsed, $lnk, $serLink, $sigInfo, $sigStatus, $signer, $signature);
my ( $baseDoc, $info, $sigCertStatus, $def, $dbStatus, $dbMessage);
-my ( $myCN, $myEmail, $mySerial, @sigCert, $tmpCert, $pCert );
+my ( $myCN, $myEmail, $mySerial, $tmpCert, $pCert );
## Get Required Parameters from Configuration
my $baseDoc = getRequired ('verifySignatureform');
@@ -53,10 +53,7 @@
$myDN = $signer->{DN};
$myDN =~ s/^\///; $myDN =~ s/\//<BR>/g;
-$sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,
- DATA => $sign->getSigner()->{CERTIFICATE});
-
-$issuerDN = $sigCert->getParsed()->{ISSUER};
+$issuerDN = $sign->getParsed()->{CHAIN}->{1}->{DN};
$issuerDN =~ s/^\///; $issuerDN =~ s/[\/\,]/<BR>/g;
## Check Signature Status
@@ -71,7 +68,7 @@
$dbStatus = $errno;
$sigStatus = "<FONT
COLOR=\"Red\">".gettext("Unknown")."</FONT>";
- $serLink = $sigCert->getSerial();
+ $serLink = $sign->getSigner()->{SERIAL};
} else {
$sigMessage = gettext("Signature correctly verified");
}
@@ -96,11 +93,7 @@
$serLink = $tmpCert->getSerial();
}
-if( $sigCert ) {
- $pCert = $sigCert->getParsed();
-} elsif ( $tmpCert ) {
- $pCert = $tmpCert->getParsed();
-}
+$pCert = $tmpCert->getParsed();
## View the Operator Used Certificate Data
$page = $query->subVar( $page, '@DN@', ($myDN or "n/a" ) );
--- openca-0.9.1.3/src/common/lib/cmds/viewSignature 2002-12-10
16:18:15.000000000 +0100
+++ openca-0.9.1.4/src/common/lib/cmds/viewSignature 2003-11-26
13:04:34.000000000 +0100
@@ -11,7 +11,7 @@
## Get the Configuration parameters ...
my ( $parsed, $lnk, $serLink, $sigInfo, $sigStatus, $signer, $signature);
my ( $baseDoc, $info, $sigCertStatus, $def, $dbStatus, $dbMessage);
-my ( $myCN, $myEmail, $mySerial, @sigCert, $tmpCert, $pCert );
+my ( $myCN, $myEmail, $mySerial, $tmpCert, $pCert );
my $dataType = $query->param('dataType' );
my $key = $query->param('key');
@@ -54,9 +54,6 @@
name=>"EMAIL",
value=>$signer->{DN_HASH}->{EMAILADDRESS}[0]} );
$myEmail = $lnk->a({-href=>$lnk->self_url()},
$signer->{DN_HASH}->{EMAILADDRESS}[0]);
-$sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,
- DATA =>
$signature->getSigner()->{CERTIFICATE});
-
## Check Signature Status
if( not libCheckSignature( SIGNATURE=>$signature ) ) {
$sigStatus = "<FONT COLOR=\"Red\">".gettext("Error")."</FONT>";
@@ -105,7 +102,7 @@
$serLink = $lnk->a({-href=>$lnk->self_url()},
$tmpCert->getSerial() );
- $decSerLink = "( " . hex( $sigCert->getSerial() ) . " )";
+ $decSerLink = "( " . hex( $tmpCert->getSerial() ) . " )";
$lnk = new CGI({cmd => "search",
dataType => "CERTIFICATE",
@@ -114,11 +111,7 @@
$myEmail = $lnk->a({-href=>$lnk->self_url()},
$tmpCert->getParsed()->{EMAILADDRESS});
}
-if( $sigCert ) {
- $pCert = $sigCert->getParsed();
-} elsif ( $tmpCert ) {
- $pCert = $tmpCert->getParsed();
-}
+$pCert = $tmpCert->getParsed();
## View the Operator Used Certificate Data
$page = $query->subVar( $page, '@CN@', ($myCN or "n/a" ) );
-----END PATCH-----
References
------------
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0960 to this issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0960
URL for this Security Advisory:
http://www.openca.org/news/CAN-2003-0960.txt
|
|
From: <ope...@li...> - 2003-01-07 22:41:06
|
OpenCA 0.9.1 RELEASED - Developer Release
=========================================
OpenCA - The Open Certification Authority Toolkit
(http://www.openca.org)
The OpenCA core team wants to announce the newly issued Release of
the OpenCA software.
OpenCA Project Overview:
========================
The OpenCA Project is a collaborative effort to develop a robust,
full featured and Open Source out-of-the-box Certification Authority
implementing the most used protocols with full-strength cryptography
world-wide. OpenCA is based on many Open Source Projects. Among the
supported software is OpenLDAP, OpenSSL, Apache Project's httpd,
mod_ssl.
The project development is divided into two main tasks: studying
and refining the security scheme that guarantees the best model to
be used in a CA and developing software to easily setup and manage
a Certification Authority.
Project Status:
===============
OpenCA version 0.9.2 Status: Under Development
OpenCA version 0.9.1 Status: Released 07 Jan 2003
OpenCA version 0.9.0 Status: Released 12 Aug 2002
OpenCA version 0.8.6 Status: Released 17 Jul 2002
OpenCA version 0.8.1 Status: Released 08 Nov 2001
OpenCA version 0.8.0 Status: Released 02 Nov 2001
OpenCA version 0.6.0 Status: [ Never Released ]
OpenCA version 0.2.0 Status: Released 16 Nov 1999
OpenCA Current features:
========================
o Certification Authority can now import requests, list certificate
requests, export certs, archive requests, view archived requests,
delete requests, issue certificates, verify RA operator identity,
export CRL;
o Registration Authorities Server can list pending/deleted/archived
requests, approve requests, export requests to removable media,
import new certs from removable media, import CRLs, export CA
certificate to LDAP, export CRLs to LDAP, initialize LDAP, export
client certificates to LDAP;
o Public server can list pending requests, accept PKCS#10 certification
requests, accept SPKAC certification requests, accept IE certification
requests, deliver issued certificates to users, deliver issued CRLs
to users, display CRLs, list users' certificates;
Core developers' Tasks:
=======================
Massimiliano Pala is currently working on:
o OCSP responder development/integration
o Smart Cards integration
o SCEP support and integration
o XML interfaces
Michael Bell is currently working on:
o DBI module updating (DB2/Oracle/Postgress/MySQL support)
o RBAC Module (Role Based Management)
o Revocation Process engeneering through the use of CRIN codes
(Certificate Revocation PIN)
o LDAP support improving
o Export-Import utils
o i18n
o RPMS
OpenCA differences between previous release (0.9.0):
=====================================================
o I18N support added:
- English language supported
- German language supported
- Spanish language supported
o IE-fixes:
- fixed getcert
- download of certificates from other users via the pub-gw works
- rewrite the requestgeneration for IE because of some problems with
Siemens CardOS CSP
- integrated security-fix of Microsoft for MS02-48
o RBAC:
- deactivated debugging in rbac-utils.lib
- removed conf-file for raServerInfo
- added conf-file for serverInfo
- security bugfix against misconfiguration of mod_ssl
- some signatures will no longer used because they bring us
no additional security
o Batch Processors:
- keybackup integrated into batchprocessor (still alpha)
- PINs in the batchprocessors are now encrypted
o DBMS:
- explicit commit and rollback for SQL-databases
- fixed DBI because MySQL is really sensitive for blanks between
functions and parenthesis
- cleanup interface of OpenCA::DBI (DB2 works again) and avoid
crashes of the web interfaces if databases are down
- fixed status bug in OpenCA::DBI (EXPIRED works now)
- fixed several problems in OpenCA::DB
o Miscellaneous:
- fixed serials in the DN (now the user see only decimal numbers)
- fixed the signatureverification
- use strict; in all webinterfaces
- several performance enhancements in OpenCA::REQ and OpenCA::X509
to speedup lists
- new export/import system supports incremental exports
- support for HSMs added (Chrysalis-ITS Luna CA3) - special thanks
to Bahaaldin Al-Amood <bal...@vt...>
- certificates cannot have a longer lifetime then the CA-cert now
- added special CRL-generation
- LDAP v3 supported
- perl 5.8 supported
Notes:
======
This release still is a developer-only version. Please refer to our web
site on how to contribute to the project: you are strongly encouraged
to contribute to the project so as to speed up community driven
development, the best. Mailing lists are also available.
Software Availability
=====================
We consider the announced version the most reliable one, and we
encourage users of older ones to upgrade their packages. Corrently you
can find archives at our web site http://www.openca.org/openca or at
our ftp server ftp://ftp.openca.org.
Mirrors list:
o take a look at http://www.openca.org/openca/mirrors.shtml
We hope you find this software useful and to receive many comments
and/or proposal and/or code coming from the users' community.
Mirroring Notes
===============
If you plan to mirror us, please let us know as to make your ftp site
available among the mirrors list.
Contacts
========
To contact us, please visit our web site where you will find any
information on how to send your comments to us.
Massimiliano Pala
- OpenCA PKI development Team -
|
|
From: <ope...@li...> - 2002-09-24 09:45:52
|
OpenCA 0.9.0 RELEASED - Developer Release
=========================================
OpenCA - The Open Certification Authority Toolkit
(http://www.openca.org)
The OpenCA core team wants to announce the newly issued Release of
the OpenCA software.
OpenCA Project Overview:
========================
The OpenCA Project is a collaborative effort to develop a robust,
full featured and Open Source out-of-the-box Certification Authority
implementing the most used protocols with full-strength cryptography
world-wide. OpenCA is based on many Open Source Projects. Among the
supported software is OpenLDAP, OpenSSL, Apache Project's httpd,
mod_ssl.
The project development is divided into two main tasks: studying
and refining the security scheme that guarantees the best model to
be used in a CA and developing software to easily setup and manage
a Certification Authority.
Project Status:
===============
OpenCA version 0.9.1 Status: Release Candidate 5
OpenCA version 0.9.0 Status: Released 12 Aug 2002
OpenCA version 0.8.6 Status: Released 17 Jul 2002
OpenCA version 0.8.1 Status: Released 08 Nov 2001
OpenCA version 0.8.0 Status: Released 02 Nov 2001
OpenCA version 0.6.0 Status: [ Never Released ]
OpenCA version 0.2.0 Status: Released 16 Nov 1999
OpenCA Current features:
========================
o Certification Authority can now import requests, list certificate
requests, export certs, archive requests, view archived requests,
delete requests, renew requests, issue certificates, revoke
certificates, verify RA operator identity, export CRL
o Online Administration server can initialize the online-database,
import certificates, mail and CRLs from removable media, export
certificate signing and revocation requests, automatically update
LDAP during import, send prepared emails automatically and manually
o Registration Authority can list pending/deleted/archived
requests, edit requests, approve requests, delete requests, send
email to user, download private keys and certificate in PKCS#12-,
PKCS#8- and SSLeay-format
o LDAP manangement interface can export CA certificate to LDAP,
export CRLs to LDAP, initialize LDAP, export client certificates to
LDAP, remove certificates from LDAP
o Public server can list pending requests, accept PKCS#10 certification
requests, accept SPKAC certification requests, accept IE certification
requests, generate certification requests, deliver issued certificates
to users, deliver issued CRLs to users, display CRLs, list users'
certificates, test certificates;
Core developers' Tasks:
=======================
Massimiliano Pala is currently working on:
o OCSP responder development/integration;
o Smart Cards integration;
o RPMs;
Michael Bell is currently working on:
o DBI module updating (DB2/Oracle/Postgress/MySQL support)
o RBAC (Role Based Access Control)
o Revocation Process engineering through the use of CRIN codes
(Certificate Revocation PIN) and signing
o LDAP support improving
o Export-Import utils
o Batchprocessors including support for keyrecovery
OpenCA differences between previous release (0.8.6):
=====================================================
o complete initialization through the webinterface
o serverside requestgeneration for support of browsers which cannot
create requests
o support for keygeneration by the RA (some people want to distribute
smartcards directly via their RA)
o full support for CRRs
o certificate signing requests and the resulting certificates are
linked to eachother
o support for Windows 2000 smartcardlogin was tested
Notes:
======
This release still is a developer-only version. Please refer to our web
site on how to contribute to the project: you are strongly encouraged to
contribute to the project so as to speed up community driven development,
the best. Mailing lists are also available.
Software Availability
=====================
We consider the announced version the most reliable one, and we encourage
users of older ones to upgrade their packages. Corrently you can find
archives at our web site ftp://ftp.openca.org.
Mirrors list:
o take a look at http://www.openca.org/openca/mirrors.shtml
We hope you find this software useful and to receive many comments and/or
proposal and/or code coming from the users' community.
Mirroring Notes
===============
If you plan to mirror us, please let us know as to make your ftp site
available among the mirrors list.
Contacts
========
To contact us, please visit our web site where you will find any
information on how to send your comments to us.
Massimiliano Pala
- OpenCA PKI development Team -
|
|
From: <ope...@li...> - 2001-11-08 11:49:07
|
OpenCA New Release Announcement:
================================
OpenCA Project Overview:
========================
The OpenCA Project is a collaborative effort to develop a robust,
full featured and Open Source out-of-the-box Certification Authority
implementing the most used protocols with full-strength cryptography
world-wide. OpenCA is based on many Open Source Projects. Among the
supported software is OpenLDAP, OpenSSL, Apache Project's httpd,
mod_ssl.
The project development is divided into two main tasks: studying
and refining the security scheme that guarantees the best model to
be used in a CA and developing software to easily setup and manage
a Certification Authority.
Project Status:
===============
OpenCA version 0.9.0 Status: Developing
OpenCA version 0.8.0 Status: Released 02 Nov 2001
OpenCA version 0.8.0 Status: Released 02 Nov 2001
OpenCA version 0.6.0 Status: [ Never Released ]
OpenCA version 0.2.0 Status: Released 16 Nov 1999
OpenCA Current features:
========================
o Certification Authority can now import requests, list certificate
requests, export certs, archive requests, view archived requests,
delete requests, issue certificates, verify RA operator identity,
export CRL;
o Registration Authorities Server can list pending/deleted/archived
requests, approve requests, export requests to removable media,
import new certs from removable media, import CRLs, export CA
certificate to LDAP, export CRLs to LDAP, initialize LDAP, export
client certificates to LDAP;
o Public server can list pending requests, accept PKCS#10 certification
requests, accept SPKAC certification requests, accept IE certification
requests, deliver issued certificates to users, deliver issued CRLs
to users, display CRLs, list users' certificates;
OpenCA differences to previous release (0.8.0):
===============================================
o Fixed some Makefile errors on Solaris
o Added (missing) getcert command on public server
o Fixed LDAP certificate adding (sn)
o Fixed provided OpenSSL extfiles (certificate extensions profiles)
o Fixed link on public server for retrieving CA certificate
References:
===========
The OpenCA Project main website can be found at http://www.openca.org (or
at http://openca.sourceforge.net). You can find all current versions and
available documentation there.
You can also download any part of the software or documentation also at the
official ftp site:
ftp://ftp.openca.org
ftp://openca.sourceforge.net/pub/openca (soon removed)
or from one of the official mirrors:
http://www.openca.org/openca/mirrors.shtml
Massimiliano Pala
OpenCA PKI development Group
|
|
From: <ope...@li...> - 2001-11-02 15:27:04
|
OpenCA Project Overview:
========================
The OpenCA Project is a collaborative effort to develop a robust,
full featured and Open Source out-of-the-box Certification Authority
implementing the most used protocols with full-strength cryptography
world-wide. OpenCA is based on many Open Source Projects. Among the
supported software is OpenLDAP, OpenSSL, Apache Project's httpd,
mod_ssl.
The project development is divided into two main tasks: studying
and refining the security scheme that guarantees the best model to
be used in a CA and developing software to easily setup and manage
a Certification Authority.
Project Status:
===============
OpenCA version 0.9.0 Status: Developing
OpenCA version 0.8.0 Status: Released 02 Nov 2001
OpenCA version 0.6.0 Status: [ Never Released ]
OpenCA version 0.2.0 Status: Released 16 Nov 1999
OpenCA Current features:
========================
o Certification Authority can now import requests, list certificate
requests, export certs, archive requests, view archived requests,
delete requests, issue certificates, verify RA operator identity,
export CRL;
o Registration Authorities Server can list pending/deleted/archived
requests, approve requests, export requests to removable media,
import new certs from removable media, import CRLs, export CA
certificate to LDAP, export CRLs to LDAP, initialize LDAP, export
client certificates to LDAP;
o Public server can list pending requests, accept PKCS#10 certification
requests, accept SPKAC certification requests, accept IE certification
requests, deliver issued certificates to users, deliver issued CRLs
to users, display CRLs, list users' certificates;
OpenCA differences to previous release (0.2.0):
===============================================
o Modularization process completed. OpenCA now uses a series of modules
to easily code organization and handling of pki related objects (such
as certificates, crl, requests, etc...).
o Added support for Internet Explorer for requesting certificates.
o Stripped off the EMAIL field from certificates (default behaviour,
this could be avoided by editing the email_in_dn parameter in the
provided openssl configuration file);
o Initial Certificate extensions management. Actually it is possible to
add new certificates profiles (using openssl extfiles). This gives
the possibility both to the RA Operator and to the CA Operator to
choose the certificate's profile to be used.
o Added support for managing DNs before approving a request.
o LDAP support included using new perl-ldap module over the Net-LDAPApi
one. We have decided to move to the perl-ldap module because of many
problems found when installing the old Net-LDAPApi module as this is
no more supported and incompatibility issues arise with openldap 2.xx
versions.
o DB backend support added for PKI related objects. The DB backend
currently has support for file-based DBMs and for SQL DBMs (mySql,
Oracle, DB2, Postgres).
o DBMs backend initialization is web-based both on the RAServer and
on the CA.
o Installation now uses autoconf scripts. The autoconf script usage
is aimed towards the easy of the installation process on different
platforms.
o Enabled RA Operator's signature verification before issuing the new
certificate (uses the openca-verify command of the OpenCA-SV package).
o Bugfixing.
References:
===========
The OpenCA Project main website can be found at http://www.openca.org (or
at http://openca.sourceforge.net). You can find all current versions and
available documentation there.
You can also download any part of the software or documentation also at the
official ftp site:
ftp://ftp.openca.org
ftp://openca.sourceforge.net/pub/openca (soon removed)
or from one of the official mirrors:
http://www.openca.org/openca/mirrors.shtml
OpenCA Developers Group
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] ma...@cp...
ma...@op...
ma...@ha...
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
|
|
From: <ope...@li...> - 2001-10-16 15:49:08
|
Hi all, new web pages have been published. The web address are: http://www.openca.org (for OpenCA LABS) and http://www.openca.org/openca (for PKI devel) Let us know if there are problems when accessing the web pages or if you find navigation difficoult or not clear. -- C'you, Massimiliano Pala --o------------------------------------------------------------------------- Massimiliano Pala [OpenCA Project Manager] ma...@cp... ma...@op... ma...@ha... http://www.openca.org Tel.: +39 (0)59 270 094 http://openca.sourceforge.net Mobile: +39 (0)347 7222 365 |
