Monday, May 24, 2010

Celebrate 10 years of BouncyCastle

David Hook of BouncyCastle wrote this on the dev-crypto mailinglist.

Hi all,

While we're not in a habit of making a huge fuss about things, one thing
is about to come up which we thought we'd mention.

Monday 24th of May, marks 10 years since the first release of the Bouncy
Castle Cryptography APIs.

To give you an idea of what this means, the first release was on the
order of 24,000 lines of java. Ten years on we are now looking at
200,000 lines of Java and 160,000 lines of C# with a substantial
increase in functionality. The passage of time has certainly been felt.

Anyway, a lot of people outside of the core developers have contributed
over the years, so once again, thanks! And for us, them, and everyone
else, if you're inclined to celebrate 10 years of open source crypto
from this project, Monday is a good time to do it!



An incredibly consistent track record of one of the best open source projects out there!

External RA enrollment Web GUI, sponsored by APNIC

I would like to take this opportunity to remind you that in EJBCA 3.10 there is a new, much awaited, feature. A web GUI for enrollment using the External RA.
The web GUI can be used to enroll for browser certificates using most browsers on all platforms. You can also enroll for server certificates and keystores.
The new GUI is developed with JSF and Facelets, using the IceFaces component library. This gives it a nice modern look and function.

The development of this new feature was sponsored by APNIC, who makes sure internet works in the Asia Pacific.

Monday, May 17, 2010

EJBCA at the Greek police

I held a presentation about EJBCA and SignServer at two conferences, held by Eellak, in Greece this weekend. As a part of this I gave as example an installation of EJBCA at the Greek police. A short summary below.
  • Project PoL, Police on-line.
  • EJCBA replaces RSA Keon CA.
  • Installation by BYTE and PrimeKey.
  • All certificates in smart cards (~25.000).
  • Cards are used to access the PoL network and sign documents.
  • Both old cards and new cards produced with EJBCA, used simultaneously
  • to access, sign and encrypt using a new client, NetID.
  • An old RSA cards that expire is replaced with a new card.
  • Users and documents are not affected.
All in all a nice installation and a good example of usage of PKI in an organization.

Tuesday, May 4, 2010

EJBCA 3.9.7 and 3.10.1 released

Monday saw a double release of EJBCA. 3.9.7 fixes a very low number of issues in the old 3.9 branch, while 3.10.1 contains 34 fixes and feature enhancements for the 3.10 branch.

3.10.1 is the recommended release for all new installations.

Noteworthy changes in 3.10.1

  • New WS-API methods for renewing CAs. This enables the possibility for
    automated SPoCs in an EAC ePassport PKI.

  • New CMP proxy module letting you have a separate server terminating
    CMP connections and then forwarding them to the CA.

  • Possibility to renew CAs without activating new keys, enabling the CA
    to continue working until a new certificate is imported.

  • Support for SHA384WithECDSA signature algorithm.

  • Fixed deployment on JBoss EAP 5.0.0.

  • Fixed admin GUI bug with problems selecting privileges for RA

  • Fixed some issues with cli and renewal of expired CAs.

  • Fixed a bug with cli for getting delta CRLs.

  • Other minor bug fixes.

Changes in 3.9.7

  • Fixed an error when creating DVs signed by external CVCAs (EAC
    ePassport only).

  • Give better error message when the same public key is passed in
    initial CVC request (EAC ePassport only).

  • Log OCSP responder startup and shutdown.

  • Fix possible NullpointerException in