METU Computer Center adheres to the policy of using open-source software on the systems. The following lines will further explain the PKI solution tools mentioned above and the emphasis will be on open source software.
A complex PKI solution requires the application of the following tools:
1. Encryption Library:
A library that will use such encryption methods as RSA, DSA, 3DES, SHA-1 is required. Besides, clients, and secure servers at best require PKCS; and secure e-mail requires S/MIME coding.
One can easily choose among a many encryption library options. However, the most popularly used libraries are OpenSSL and Mozilla NSS/PSM. These libraries are also compatible with S/MIME format.
The web addresses of some of the encryption libraries are provided below for the curious reader:
OpenSSL: http://www.openssl.org
Cryptlib: http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html
Mozilla NSS/PSM: http://www.mozilla.org/projects/security/pki/nss
Catacomb: http://www.excessus.demon.co.uk/misc-hacks/#catacomb
Cryptix: http://www.cryptix.org/products/cryptix31/index.html
GnuPG: http://www.gnupg.org
2. Certificate Authority (CA):
A certificate authority is needed for the management and signing of X509v3 certificates. The certificate authority generates and manages the certificates, and moreover, it enables other clients to download the certificates to their computers.
OpenSSL comes with a simple CA application; yet it does not include all the components that is necessary for a CA. There are those software, namely pyCA and OpenCA, that are developed on OpenSSL and used on many CAs. OpenCA is regarded as more comprehensive than pyCA; however, currently there are certain deficiencies with its documentations. As apart from them, there are such applications as Jonah and LURCIS, which belong to IBM and Leed University respectively. These applications have been developed institutionally; however their use are permitted under the framework of certain license agreements as a free software.
For those who are curious about certificate authority software, some useful web addresses are provided below:
pyCA: http://www.pyca.de
It is written with Phyton; it uses apache, mod_ssl, openssl.
OpenCA: http://openca.sourceforge.net
It is written with Perl. It uses apache, mod_ssl, openssl, postgres/mysql. This software is still being developed and it supports OpenLDAP as well.
Oscar: http://oscar.dstc.qut.edu.au
It is written with C++ ile yazılmıştır. Its development halted.
Jonah: http://www.foobar.com/jonah
There are some shortcomings of viewing Jonah as an open-source application. As long as it is partly comprised of some institutional applications, it is not an open source code in its entirety.
IDX-PKI: http://idx-pki.idealx.org
It is developed with PHP and postgresql; however, it is at the early stages of initial development phase.
3. Directory Server:
A directory server is needed so that certificate authority and clients can use it. Currently, the directory server support of the open source PKI software is available, however the development process of this support has not been completed yet.
The best alternative for an open-source code is known as OpenLDAP whereby while OpenLDAP runs as a directory server, it also owns the necessary authorization libraries on required by the client.
For those who are curious about directory server software, some useful web addresses are provided below:
OpenLDAP: http://www.openldap.org
Umich SLAPD: http://www.umich.edu/~dirsvcs/ldap
4. E-mail Client:
Clients in S/MIME format that will receive, send and create messages are needed.
Since the user directly communicates with it, e-mail client is indeed a very important component of the PKI system. The e-mail client should enable the user to view the options clearly and implement them. S/he should be able to add and remove certificates.
There are many open source e-mail clients. However, most of them support PGP rather than S/MIME.
MUTT is an e-mail client is that is developed to be highly competent about secure communication. S/MIME support is not distributed along with Mutt; however, when it is added as a patch, it can sign with certificates and encrypt the messages. Though it can perform such tasks, it is not possible to have the directory server speak with Mutt.
Besides, the source code of PINE recently includes S/MIME directory. However, the inquiries reveal that this support has not been tested comprehensively.
Today, there are a number of web based e-mail clients that are favorably used. SSL ensures the security of the connection to the services of these e-mail clients; however, it is not possible to send signed and encrypted message with S/MIME support. Though they do not actually own it yet, people work on IMP and WING open-source webmail programs to include S/MIME support.
Evolution is graphically well-built and is one of the user-friendly clients in robust condition which was developed under Gnome project. When it is used with Mozilla NSS/PSM support, it becomes a viable client that supports S/MIME.
Netscape Communicator 4.x ve 7.x series do not own S/MIME support. This support was very well provided with 4.x series; however it was removed due to a problem experienced with American government. The support was resumed back again with 7.x series.
There is S/MIME support after Mozilla 0.9.7 version.
For those who are curious about e-mail client software, some useful web addresses are provided below:
Mutt: http://www.mutt.org, http://elmy.myip.org/mutt/smime.html
No S/MIME support; but it can be added.
Pine: http://www.washington.edu/pine
People say it has S/MIME support; however, it is not much tested with practical applications.
Balsa: http://www.balsa.net
No S/MIME support, however PGP/GPG support is being developed.
Evolution: http://www.gnome.org/gnome-office/evolution.shtml
Runs compatibly with Mozilla NSS/PSM through using S/MIME.
IMP: http://www.horde.org/imp
Implements an IMAP based webmail system. No S/MIME support yet.
Kmail: http://www.kde.org
That can use PGP.
5. MTA:
An e-mail server is required to handle SMTP message traffic.
* * *
For a complex PKI solution, it is generally recommended in resources that openSSL be used for encryption, OpenCA be used as certificate authority software, OpenLDAP be used as directory server and Evolution be used as e-mail client.
During the course of exploring how to be a certificate authority, METU Computer Center has intensified its efforts on OpenCA, which is favorably recommended. The next article will cover detailed information about the installation and configuration of OpenCA software.
Gelecek sayıda OpenCA yazılımının kurulumu ve yapılandırılması ile ilgili detaylı bilgi verilecektir.
Feyza ERYOL (TAŞKAZAN)
|