[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SFL SW Now Available

To: imc-sfl@xxxxxxx
Subject: SFL SW Now Available
From: jsp@xxxxxxxxxxxxx (John Pawling)
Date: Tue, 7 Apr 1998 15:09:04 -0400
Sender: owner-imc-sfl@xxxxxxx
All,

J.G. Van Dyke and Associates (VDA) has delivered the first interim release
of the S/MIME Freeware Library (SFL) for SunOS 4.1.3 and MS Windows NT/95.
The SFL is a reference implementation of the IETF S/MIME v3 CMS and ESS
I-Ds.  This interim release of the SFL has been successfully used to sign,
verify, encrypt and decrypt CMS objects using the mandatory algorithms (DSA,
D-H, 3DES) provided by the Crypto++ library and SHA-1 provided by
Government-furnished freeware.  This process includes using the SNACC ASN.1
Library to encode and decode CMS signedData and envelopedData objects. This
interim release includes: SFL High-level library; SFL Crypto++ Crypto Token
Interface Library (CTIL); VDA-enhanced GNU SNACC ASN.1 Compiler and
Library; test drivers and test data.  

Although we have made significant progress with the development of the SFL
software, this interim release of the SFL software is NOT complete. We are
still in the process of developing the SFL software. Further releases will
be provided as significant capabilities are added.  The SFL is being
delivered incrementally to provide software as soon as possible to allow
developers to: work with the API; begin integrating the SFL into their
applications; and to provide feedback to the ongoing SFL development
process. The SFL documents and software are still being developed and are
subject to change. The goal for completion of the SFL is June 1998. The
stability of the S/MIME v3 specifications is a prerequisite for meeting this
delivery goal. The SFL will be thoroughly tested and all memory leaks fixed
once the S/MIME v3 specs are finalized.
  
The 31 Mar 98 interim release of the SFL does not implement attributes and
does not implement signed receipts.  It provides a C++ API.  The SFL will be
enhanced to also provide a C API that will wrap the C++ API.  It has not
been completely tested and it includes memory leaks.  It includes security
holes.  For example, the SFL stores private keys in the clear on the hard
drive of the host system.  We will be enhancing the SFL Crypto++ Crypto
Token Interface Library (CTIL) to use PKCS #8 to store and protect the
private key material that it accesses.    

The IMC has established an SFL web page at http://www.imc.org/imc-sfl/ which
includes links to the SFL files stored on the VDA web site at
http://www.jgvandyke.com/services/infosec/sfl.htm.  The following SFL files
are available:

1) Word 97, ASCII text and Adobe Acrobat PDF files for the SFL Fact
   Sheet (facsht.*), Software Design Description (SDD) (sfl_sdd.*), 
   Application Programming Interface (API) (sfl_api.*) and CTI API 
   (cti_api.*) documents.
     
2) SFL Public License (ASCII text).
     
3) Compressed tar file containing SNACC ASN.1 Compiler and Library 
   source code that has been enhanced by VDA to implement the 
   Distinguished Encoding Rules.
     
4) Zipped exe file containing MS Windows NT/95 files including: SFL 
   source code, SNACC ASN.1 Library, test code, project files. 
     
5) Compressed tar file containing SunOS 4.1.3 filed including: SFL 
   source code, SNACC ASN.1 Library, test code, makefiles.

Note: The last two files also include sample CMS test data and test X.509
Certificates.  This file also includes test utilities to create X.509
Certificates (with bogus signature values) that each include a D-H or DSA
public key.

Detailed instructions for the implementation of the software for each
platform is included in a README file contained within the file for that
platform. 

All source code for the SFL has been provided at no cost and with no
limitations regarding its use and distribution. Organizations can use the
SFL without paying any royalties or licensing fees.  VDA is developing the
SFL under contract to the U.S. Government.  The U.S. Government is
furnishing the SFL software at no cost to the vendor subject to the
conditions of the "SFL Public License" included in the license.txt file
available in each of the tar and exe files, and on the VDA web site.
  
The SFL is composed of a high-level library that performs generic CMS and
ESS processing independent of the crypto algorithms used to protect a
specific object.  The SFL high-level library makes calls to an
algorithm-independent Crypto Token Interface API.  The underlying, external
crypto token libraries are not distributed as part of the SFL source code.
The application developer must independently obtain these libraries and then
link them with the SFL.   This strategy allows the SFL source code to be
freely distributed to the entire Internet community because it does not
contain software that directly implements any crypto algorithms that are
copyrighted or export controlled.  For example, we the SFL uses the freeware
Crypto++ library to provide 3DES, D-H and DSA.  To use the SFL with Crypto++
the vendor must the Crypto++ freeware library from the Crypto++ Web Page
(http://www.eskimo.com/~weidai/cryptlib.html) and then compile it with the
SFL source code that is obtained from us.  

IMPORTANT NOTE: We were able to use the Crypto++ v2.3 library with MS
Windows 95/NT with only a few trivial changes that are documented in the SFL
MS Windows README file.  Due to limitations with the GCC 2.7.2 compiler we
had to use Crypto++ v2.0 on SunOS 4.1.3.  We made many non-trivial changes
to the Crypto++ v2.0 software so that we could use it on SunOS 4.1.3 with
GCC 2.7.2.  We are communicating with the Crypto++ author and web site
manager  to determine if the our modifications will be posted on Crypto++
web site.  In the meantime, if you need the modified Crypto++ v2.0 for SunOS
4.1.3, please contact John Pawling.

The SFL software is developed to maximize portability to 32-bit operating
systems.  In the future, support may be added for the following operating
systems: LINUX, Macintosh, HP/UX 9.x/10.x, IBM AIX 3.2, Sun Solaris 2.6 and
SCO ODT 3.0/5.0.

The IMC has established an SFL mail list which is used to: distribute
information regarding SFL releases; discuss SFL-related issues; and provide
a means for SFL users to provide feedback, comments, bug reports, etc.
Subscription information for the imc-sfl mailing list is at the IMC web site
listed above.

All comments regarding the SFL software and documents are welcome.  We
recommend that they be sent them to the imc-sfl mail list.  We will respond
to all messages on that list.

================================
John Pawling, jsp@xxxxxxxxxxxxx                             
J.G. Van Dyke & Associates, Inc.   
www.jgvandyke.com         
================================
Follow-Ups:
- Re: SFL SW Now Available
  - From: Xinhong Yuan
Prev by Date: SFL Delivery Delayed
Next by Date: Building the SFL on the Intel/Windows platform
Previous by thread: SFL Delivery Delayed
Next by thread: Re: SFL SW Now Available
Index(es):
- Date
- Thread