v0.3 SFL Interim Release

[jsp@xxxxxxxxxxxxx (John Pawling)]

All,

J.G. Van Dyke and Associates (VDA) has delivered the third interim release
(Version 0.3) of the S/MIME Freeware Library (SFL).  It has been
successfully tested with the Sun Solaris 2.6 and MS Windows NT/95 operating
systems.  The SFL is a reference implementation of the IETF S/MIME v3 CMS
and ESS I-Ds.  We have made significant progress with the testing of the
SFL. The v0.3 SFL has been successfully used to sign, verify, encrypt and
decrypt CMS objects using the mandatory algorithms (DSA, D-H, 3DES) provided
by the Crypto++ library and SHA-1 provided by Government-furnished freeware.
The v0.3 SFL has also been used to sign, verify, encrypt and decrypt CMS
objects using the RSA suite of algorithms provided by the RSA BSAFE library.
The SFL uses the SNACC ASN.1 Library to encode and decode CMS signedData and
envelopedData objects. The v0.3 SFL release includes: SFL High-level
library; SFL Crypto++ Crypto Token Interface Library (CTIL); BSAFE CTIL;
VDA-enhanced GNU SNACC ASN.1 Compiler and Library; test drivers and test data.  

Since the v0.2 SFL release, we have begun interoperability testing between
the MS Outlook Express S/MIME v2 e-mail client and SFL.  We used the SFL to
successfully verify the signature of an Outlook Express-generated v2
signedData message.  We used the SFL to create a signedData message that was
verified by Outlook Express.  This required a number of changes in both the
SFL and test environment.  This is just the beginning of our
interoperability testing. 

Since v0.2 SFL release, we have made the following progress with the SFL:
fixed many bugs and memory leaks; improved VDA DER SNACC code to correctly
decode indefinite length BER sequences and ANYs (this was needed to
interoperate with Outlook Express and Netscape); "#pragma pack(8)" added to
"sm_api.h" to force consistent structure alignment for references to the SFL
classes; made minor changes recommended by customers; added support for
ESSSecurityLabel signed attribute; improved Receipt Request logic; improved
certificate generation utilities; and added support for processing the
encapsulated content separate from the signedData object that includes the
signature of the content.  We also improved the SFL test environment: added
ability to specify combinations of various hash/signing/encryption
algorithms when creating a message; added limited MIME message construction
using the freeware MIME++ library (SignedData only); increased consistency
of certificates and private keys used for all CTILs (address book logic).

Although we have made significant progress with the development of the SFL,
this interim release of the SFL is NOT complete. We are still in the process
of developing and testing the SFL.  For example, we will be enhancing the
BSAFE CTIL to store the user's private keys in an encrypted form.  Further
releases will be provided (probably on a monthly basis) as significant
capabilities are added.  The SFL is being delivered incrementally to provide
software as soon as possible to allow developers to: work with the API;
begin integrating the SFL into their applications; and to provide feedback
to the ongoing SFL development process. The SFL documents and software are
still being developed and are subject to change. The goal for completion of
the SFL is September 1998. The stability of the S/MIME v3 specifications is
a prerequisite for meeting this delivery goal. 
  
Future releases will include: support for additional attributes; Fortezza
CTIL; additional helper functions; C API (in addition to C++ API); support
for other crypto libraries; and support for other operating systems.  The
SFL will be thoroughly tested and all memory leaks fixed.  Robustness
testing will be performed.  The SFL will be tested for interoperability with
S/MIME v2 and v3 products. Other possible future enhancements include
additional example CTILs supporting other Cryptographic APIs, such as Open
Group's Common Data Security Architecture. We will continue enhancing
utilities to generate certificates to be used as test data.

The IMC has established an SFL web page (http://www.imc.org/imc-sfl) which
includes links to the SFL files stored on the VDA SFL Page
(http://www.jgvandyke.com/services/infosec/sfl.htm) and on the Fortezza
Developer's S/MIME Page
(http://www.armadillo.huntsville.al.us/software/smime).  


The following SFL files are not export-controlled.  They are available at
the Fortezza Developer's S/MIME Page (now) and VDA SFL Page (any minute now):

1) SFL Documents: SFL Fact Sheet, SFL Software Design Description, SFL
Application Programming Interface, SFL CTI API and SFL Public License.
     
2) snacc-1.3vda.tar.Z: Compressed tar file containing SNACC ASN.1 Compiler
and Library source code compilable for Unix that has been enhanced by VDA to
implement the Distinguished Encoding Rules.  makefiles are included.

3) snaccvc.zip: zip file containing SNACC ASN.1 Compiler and Library source
code that has been enhanced by VDA to implement DER.  MS Windows NT/95
project files are included for the SNACC code, MIME++ and Crypto++.  Note
that the Crypto++ and MIME++ libraries are not included.  See
(http://www.eskimo.com/~weidai/cryptlib.html) and
(http://hunnysoft.com/mimepp/) for these two libraries.

The following SFL files are export controlled and are available at the
Fortezza Developer's S/MIME Page:

1) smimeR03.tar.Z:  Compressed tar file containing all SFL source code
including: SFL Hi-Level source code; VDA-enhanced SNACC-generated ASN.1
source code; SFL Crypto++ CTIL source code; SFL BSAFE CTIL source code;
makefiles.  This file also contains test driver source code, sample CMS test
data and test X.509 Certificates.  This file also includes test utilities to
create X.509 Certificates that each include a D-H, DSA or RSA public key.  

2) smimeR03.zip:  Zip file containing all SFL source code including: SFL
Hi-Level source code; VDA-enhanced SNACC-generated ASN.1 source code; SFL
Crypto++ CTIL source code; SFL BSAFE CTIL source code; project files.  This
file also contains test driver source code, sample CMS test data and test
X.509 Certificates.  This file also includes test utilities to create X.509
Certificates that each include a D-H, DSA or RSA public key.  SNACC release
and debug libraries compiled for MS Windows NT/95.  
  

Instructions for applying for an account on the Fortezza Developer's S/MIME
Page are available from that page.  An account is required to download the
SFL files from the Fortezza Developer's S/MIME Page due to U.S. export
restrictions.  See the U.S. Bureau of Export Administration's Commercial
Encryption Export Controls web site at http://www.bxa.doc.gov/encstart.htm
for more information regarding the U.S. export restrictions.  

All source code for the SFL is being provided at no cost and with no
financial limitations regarding its use and distribution. Organizations can
use the SFL without paying any royalties or licensing fees.  VDA is
developing the SFL under contract to the U.S. Government.  The U.S.
Government is furnishing the SFL software at no cost to the vendor subject
to the conditions of the "SFL Public License" available from the VDA SFL
Page and Fortezza Developer's S/MIME Page.
  
The SFL is composed of a high-level library that performs generic CMS and
ESS processing independent of the crypto algorithms used to protect a
specific object.  The SFL high-level library makes calls to an
algorithm-independent Crypto Token Interface API.  The underlying, external
crypto token libraries are not distributed as part of the SFL source code.
The application developer must independently obtain these libraries and then
link them with the SFL.  For example, the SFL uses the freeware Crypto++
library to provide 3DES, D-H and DSA.  To use the SFL with Crypto++ the
vendor must download the Crypto++ freeware library from the Crypto++ Web
Page and then compile it with the SFL source code.  

The SFL software is developed to maximize portability to 32-bit operating
systems.  In the future, support may be added for the following operating
systems: Macintosh, HP/UX 9.x/10.x, IBM AIX 3.2, Sun Solaris 2.6 and SCO ODT
3.0/5.0.

The IMC has established an SFL mail list which is used to: distribute
information regarding SFL releases; discuss SFL-related issues; and provide
a means for SFL users to provide feedback, comments, bug reports, etc.
Subscription information for the imc-sfl mailing list is at the IMC web site
listed above.

All comments regarding the SFL software and documents are welcome.  We
recommend that comments should be sent to the imc-sfl mail list.  We will
respond to all messages on that list.

================================
John Pawling, jsp@xxxxxxxxxxxxx                             
J.G. Van Dyke & Associates, Inc.   
www.jgvandyke.com         
================================