v1.8 Certificate Management Library Now Available

["Pawling, John" <John.Pawling@wang.com>]

All,

Getronics Government Solutions (GGS) (formerly Wang Government Services) has
delivered the Version 1.8 Certificate Management Library (CML).  The v1.8
CML is freely available to everyone from the Fortezza Developers CML Page
<http://www.armadillo.huntsville.al.us/software/certmgmt/index.html>.  

The v1.8 CML is described in the v1.8 CML Application Programming Interface
(API) document.  It implements the 1997 X.509 certification path processing
rules and SDN.706.  It meets the majority of the IETF PKIX RFC 2459
Certificate/CRL Profile requirements.  It (optionally) provides local cache
management functions and (optionally) obtains data objects using the
Lightweight Directory Access Protocol (LDAP).  It can (optionally) be used
in conjunction with the v1.31 Certificate Path Development Library (CPDL)
developed by CygnaCom Solutions, an Entrust Technologies company, to provide
robust certification path building capabilities such as using cross
certificates. The CML has been used to validate X.509 Certificates and
Certificate Revocation Lists (CRL) signed using the Digital Signature
Algorithm (DSA) and RSA.   Further enhancements, ports and testing of the
CML are still in process.  Further releases of the CML will be provided as
significant capabilities are added. 

The following v1.8 CML files are available:
CMLv18win.zip: MS Windows Dynamically Linked Libraries (DLL) 
CML18so.tar.Z: Sun Solaris Libraries 
CML18li.tar.Z: Linux Libraries
CML18sr.tar.Z: Source, including Windows project files 

The aforementioned files and the v1.8 CML API document (CMv1_8api.doc,
CMv1_8api.pdf), test certs (CML18data.zip) and readme.txt files are stored
on the Fortezza Developers CML Page.

The v1.8 CML includes the following enhancements (compared with the v1.71
CML release):

1) Fixed all bugs reported by customers.

2) Tested for MS Windows, Solaris 2.7 and Linux.  On Linux and MS Windows,
we tested the CML with the following crypto capabilities: internal calls to
the internal SHA-1/DSA code; internal calls to RSAREF library; and using the
Crypto++ Crypto Token Interface Libraries (CTIL) with the Crypto++ v3.2
library.  

3) Tested using common v1.3 R4 Enhanced SNACC ASN.1 C Library, v1.8 CTILs
and LIBCERT libraries shared with the v1.8 S/MIME Freeware Library (SFL) and
v1.4 Access Control Library (ACL).  The common, shared libraries are
available from the Fortezza Developer's S/MIME Page
<http://www.armadillo.huntsville.al.us/software/smime>.

4) Enhanced to process all recognized certificate and CRL extensions,
regardless of criticality.

5) Implemented SDN.706 sigOrKMPrivileges and commPrivileges subordination
checks.

6) Corrected processing of v2 subject and issuer unique identifiers.  v1.71
CML incorrectly processed them as if they were key identifiers instead of
distinguished name (DN) qualifiers.

7) Corrected cache/database code so that it stores distribution point CRLs
under a separate entry in the cache/database that is identical to entry from
which the CRL was retrieved.

8) Added name constraints processing for name forms specified in RFC 2459:
rfc822Names, DNS Names and Uniform Resource Identifiers (URI).
directoryName is already supported.  

9) Added support for NULL subject DNs.  (NOTE: Certs with a NULL subject DN
will not be stored in the CML database.)

10) Added support for the RFC 2459 Authority Information Access (AIA)
extension. This includes enhancing the CML to retrieve and check a CRL
identified in an AIA extension by an LDAP address in the URI field.

11) Enhanced CRL retrieval processing.  This includes identification of
Authority Revocation List (ARL) vice CRLs and using the application-provided
distribution points information in the CM_RequestCRLs function.  This
includes enhancing the CML to automatically search the directory for a
current CRL when the current date is later than the nextUpdate field in a
local CRL.  This also includes enhancing the CML to retrieve and check a CRL
identified in a CRLDistributionPoint (CRLDP) extension by an LDAP address in
the URI field.  This also includes the ability to process multiple URI
fields in the CRLDP (especially to handle the case in which the initial URI
field indicates a null server name (LDAP:///...)). 

12) Added support for certificate policy qualifiers as described in RFC
2459.

13) Removal of the C++ SNACC conversion shared library (cmdec_cpp) (the v1.8
CML makes use of the C SNACC ASN.1 Library, but not the C++ SNACC ASN.1
Library).

14) Add CTIL interface shared library (cmctil).

15) Incorporated calls (IFDEFed) to BSAFE v5 library submitted by Secure
Computing Corporation.
  
16) Enhanced CMTool to execute performance testing and memory leak testing.

17) Performed regression testing to ensure that aforementioned enhancements
did not break existing CML functionality.

We welcome all feedback regarding the CML software and documents.  If
bugs are reported, then we will investigate each reported bug and, if
required, will produce a patch or an updated release of the software to
repair the bug.

All source code for the CML is being provided at no cost and with no
financial limitations regarding its use and distribution. Organizations can
use the CML without paying any royalties or licensing fees.  The CML was
originally developed by the U.S. Government.  GGS is enhancing and
supporting the CML under contract to the U.S. Government.  The U.S.
Government is furnishing the CML software at no cost to the vendor subject
to the conditions of the CML Public License provided with the CML software.
The CML software is not subject to U.S. Government encryption export
regulations, so it is freely available to everyone.

The v1.8 CML uses the GGS v1.3 R4 Enhanced SNACC ASN.1 Library to
encode/decode objects.  GGS has successfully tested the v1.8 CML with the
SNACC and CTIL DLLs delivered in conjunction with the v1.8 SFL.  Source code
for the GGS-developed CTILs is available from the Fortezza Developer's
S/MIME Page.  The actual crypto libraries are not provided with the CML or
SFL.  They must be independently obtained from the appropriate source.  

The v1.8 CML can be used in conjunction with the v1.31 CPDL to successfully
meet all of the requirements of the Bridge Certification Authority
Demonstration effort which includes cross-certified Entrust, Spyrus and
Motorola v3 certificate domains.  The CML18sr.tar.Z file includes the CPDL
source code and public license.  <http://www.cygnacom.com/cpl> provides more
information regarding the CPDL.

The Internet Mail Consortium (IMC) has established a CML web page
<http://www.imc.org/imc-cml>   
and a CML mail list which is used to: distribute information regarding CML
releases; discuss CML-related issues; and allow CML users to provide
feedback, comments, bug reports, etc.  Subscription information for the
imc-cml mailing list is at the IMC web site listed above.  

All comments regarding the CML source code and documents are welcome. This
CML release announcement was sent to several mail lists, but please send all
messages regarding the CML to the imc-cml mail list ONLY.  Please do not
send messages regarding the CML to any of the IETF mail lists.  We will
respond to all messages sent to the imc-cml mail list.

===========================================
John Pawling, john.pawling@getronicsgov.com
Getronics Government Solutions, LLC
===========================================