[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NIST Reference Implementation available

To: ietf-pkix@xxxxxxx, imc-pfl@xxxxxxx
Subject: NIST Reference Implementation available
From: Tim Polk <wpolk@xxxxxxxx>
Date: Fri, 26 Feb 1999 16:50:39 -0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx
Today, NIST announced the availability of reference implementation PKI
components.  I have appended the press release below, but thought this
group would be interested in some additional technical details.

First, though, the distribution details:

The reference implementation is FREE, and is available upon request via the
following URL: 

	http://csrc.nist.gov/pki/mispc/refimp/cdj2.htm

NIST has obtained an export license; exports are approved worldwide except
to India, Pakistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
Upon request, we will ship you a CD-ROM.  We do *not* support on-line
download; it is difficult to enforce the restrictions and complicates
reporting.

Technical Info:

The reference implementation components conform to NIST Special Publication
800-15, the "Minimum Interoperability Specification for PKI Components,
Version 1" (MISPC).  The MISPC is a fairly comprehensive PKI specification
based on X.509/RFC 2459, CMP, and CRMF.  It supports a PKI architecture
that includes CAs, RAs, clients, and an LDAP certificate repository.  It
defines transactions to obtain and revoke certificates, but is limited to
digital signatures.

NIST developed this specification with a number of industry partners under
Cooperative Research and Development Agreements (CRADAs).  (They are listed
below in the press release.)  The MISPC is more or less a subset of RFC
2459, CMP, and CRMF.  It provides profiles of certificates and CRLs.
Unlike RFC 2459, the MISPC requires DNs for the subject of all
certificates.  The MISPC uses only eight of CMP's message types.  The MISPC
supports RSA, DSA and ECDSA public keys and and signatures; SHA-1 is the
only hash algorithm.

Additional information regarding this specification, and the MISPC itself,
may be obtained at the URL: http://csrc.nist.gov/pki/mispc

The reference implementation is a laboratory tool and a proof-of-concept.
It is intended to help developers build interoperable products.  This is
not a production system, and the client is not linked to *any* of the
standard tools. (That is, there are no plug-ins for anything!)  We provide
a single test application that generates and verifies signatures on files.

The reference implementation is software for Windows 95/98/NT systems, and
is provided as both source and executables.  The cryptographic module is
supplied as executable only, and includes DSA, SHA-1, and DES.  You will
need to provide an LDAP directory (we've tested Netscape, Microsoft, and
ICL), an SMTP/Pop3 email server, and a TCP/IP network.  At a minimum, you
will need two computers - the CA and RA must run on different physical
systems.

The software was developed by Cygnacom Solutions under contract to NIST.
The source code is C++ and works really nicely with Visual Studio 6.0.  (We
have ported some code to Borland successfully.)  I think that will answer
the usual questions.  Additional information is available at 
	http://csrc.nist.gov/pki/mispc/refimp/referenc.htm
or by sending me email.

Thanks,

Tim Polk

P.S.  I will *not* be distributing copies at the Minneapolis IETF.  It
makes export control reporting far too difficult.  I recognize this would
reduce international mail delays, but the jewel case is clearly marked as
"subject to U.S. Government Export Controls".  Mail is really the best
solution.

-------------- NIST Press Release ------------------







FOR IMMEDIATE RELEASE:			Contact:   Philip Bulman		
Feb. 25, 1999						     (301) 975-5661		   
           	                           bulman@nist.gov 	

      TN-6209			

NIST RELEASES SOFTWARE TO PROMOTE SECURE E-COMMERCE PRODUCTS

The National Institute of Standards and Technology’s Information Technology
Laboratory today released software to assist industry in building more
secure systems to promote electronic commerce.

Vendors of products can use the NIST software to help ensure that their
product offerings can work with those of other firms. Such
"interoperability" will provide customers greater choice and flexibility in
selecting secure products. Interoperability is also critical to promote
widespread availability of security features to support secure on-line
transactions.

The software can be used by industry vendors to ensure the interoperability
of their products implementing advanced "public key infrastructure" (PKI)
technology. This technology provides a strong means to support electronic
business transactions over the Internet.

"The release of this software marks an important advance in PKI technology.
 Now product developers can easily test their products and systems to
ensure interoperability with other systems," said Donna Dodson, who heads
the NIST Security Technology Group.

 NIST’s new software is a reference implementation of PKI components
conforming to the Minimum Interoperability Specification for PKI
Components, Version 1 (MISPC V1). It is available in two forms:
ready-to-run executables for Windows 95(TM) systems and source code.

Santosh Chokhani, president of Cygnacom Solutions, notes the project has
already had an impact. "This project helped us validate the MISPC and
supporting standards." Cygnacom Solutions developed the reference
implementation under contract for NIST.

The MISPC is an interface specification for PKI components based upon
emerging international standards. MISPC V1 identifies a small set of
features from these specifications as the minimum feature set for
interoperability for PKI components. The specification’s certificate format
conforms to the International Organization for
Standardization/International Telecommunications Union X.509 standard and
the Internet Engineering Task Force’s Internet X.509 Certificate and
Certificate Revocation List (CRL) Profile. Transactions are based on the
IETF’s Certificate Management Protocol and use the Lightweight Directory
Access Protocol (LDAP) to distribute certificates and CRLs.

This reference implementation is designed as a proof-of-concept to help
product developers and researchers. The implementation is a laboratory
tool, permitting researchers to become familiar with PKI transactions and
components without significant investment. The software is a concrete
demonstration of the functionality described in the MISPC, V1. Finally, it
provides a baseline for interoperability testing of PKI components. A
developer may substitute locally developed components for components in the
reference implementation for testing.

NIST’s software includes implementations of three PKI components: a
Certification Authority (CA), an Organizational Registration Authority
(ORA), and a PKI client. The program is available in executable form for
Windows 95Ô systems; source code for PKI operations is available as well.
With an LDAP directory and an electronic mail system, these components can
issue, revoke and retrieve public key certificates.  The reference
implementation enacts several scenarios for certificate issuance. Clients
and ORAs may request certificates. Both clients and ORAs may request
certificate revocation. The CA distributes revocation information by
issuing X.509 CRLs.  Electronic mail transports the requests and responses.
Clients and ORAs retrieve certificates and CRLs using LDAP.

NIST’s Information Technology Laboratory developed the MISPC V1 with 10
industry partners under the auspices of cooperative research and
development agreements (CRADAs). The 10 partners were AT&T Corp., BBN (now
part of GTE), Certicom Corp., Cylink Corp., Dyncorp Information &
Engineering Technology Inc., Northern Telecom (now Entrust Technologies
Inc.), IRE, Motorola Inc., SPYRUS and VeriSign Inc. NIST is developing an
enhanced specification, version 2, with 16 industry partners: AT&T Corp.,
CertCo, Certicom Corp., Cylink Corp., Digital Signature Trust Co., Dyncorp
Information & Engineering Technology Inc., Entrust Technologies Inc.,
Frontier Technologies Corp., GTE, ID Certify, Mastercard International,
Microsoft Corp., Motorola Inc., SPYRUS, VeriSign Inc. and Visa
International. The MISPC V2 will include new transactions to support
issuing public key certificates for key management.


 The software is available free of charge to anyone in the United States
and most other countries.

To request the reference implementation or obtain information on the MISPC,
please use the following URL: http://csrc.nist.gov/pki/mispc.
As a non-regulatory agency of the U.S. Department of Commerce’s Technology
Administration, NIST promotes economic growth by working with industry to
develop and apply technology, measurements and standards through four
partnerships: the Measurement and Standards Laboratories, the Advanced
Technology Program, the Manufacturing Extension Partnership and the
Baldrige National Quality Program. 
-30-
News and general information on the National Institute of Standards and
Technology are available on the World Wide Web at http://www.nist.gov.
Prev by Date: RE: A web of directories
Next by Date: RE: Qualified Certificates draft - Country name
Previous by thread: Bug in RFC 2459
Next by thread: OCSP Service Locator and RFC2459's Authority Information Access
Index(es):
- Date
- Thread