EJBCA 5.0.2 released, delivered for Common Criteria Certification

23 January 2011 - Stockholm, Sweden

Primekey proudly presents the 5.0.2 maintenance release of EJBCA. This release is the candidate for Common Criteria for Information Technology Security Evaluation (Common Criteria) certification, and a majority of the effort for this release has been devoted to addressing issues to meet Common Criteria's exacting standards.

Quite some effort was also put into stabilizing the 5.0.x release for production use, including improvements of performance and usability.

EJBCA 5.0.2 Release Notes ►

A maintenance release containing a couple of small features and many bug fixes. The following are a selection of the most noteworthy:

• New features:

  • Support has been added for incorporating external plugins in the EJBCA EAR file at build time, allowing the addition of custom administrative capabilities and specialized RA systems.

• Bug fixes:

  • The Web interface has been thoroughly audited and cleaned from XSS issues.

  • Authorization checks have tightened up in accordance to Common Criteria demands.

  • Audit logging has been improved and fixed where lacking.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 5.0.3 or later releases.

More information is available at the project web site and the complete change log can be viewed in the issue tracker.

For more information, please contact:

Tomas Gustavsson, CTO, PrimeKey Solutions AB, tel: +46(0)707 42 10 96, e-mail: tomas@primekey.se

PrimeKey Solutions AB

PrimeKey is the world's leading open source PKI (public key infrastructure) company, and founders and commercial force behind some of the most downloaded open source PKI projects – EJBCA and SignServer.

An open source security software pioneer, PrimeKey provides enterprise class solutions to key public and commercial sector clients worldwide. Organizations turn to PrimeKey's open source software platforms to implement security solutions (such as e-passports, product authenticity, document signing, digital signatures, unified digital identities) and their associated high speed and high availability validation.

PrimeKey's enterprise class integration, training and support services and dedication to open standards help customers achieve their organizational goals. www.primekey.se

The EJBCA Project

EJBCA PKI is a Certification Authority and a complete enterprise PKI management system, delivered either as an integrable part or as a turnkey solution. EJBCA OCSP and EAC are sub functions of EJBCA PKI, and are used for on-line validation and ePassports.

EJBCA offers great advantages such as excellent cost-effectiveness, unmatched flexibility, complete integration – and full professional maintenance and support by PrimeKey. www.ejbca.com

EJBCA 4.0.7 released

EJBCA PKI 4.0.7 was released as a Christmas gift on the 25th of December 2011.

A maintenance release containing 6 bug fixes and 4 new features or improvements.
New features

• Documented EJBCA integration with the secure email server Djigzo.
• Added a plug-in build system.

Bug fixes

• Fixed an error reading large OCSP requests in some cases.
• Fixed a few minor XSS issues.
• Fixed a build issue of the Validation Authority on some platforms.
• Improved support for Chinese in the admin console.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 4.0.8 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

SignServer 3.2.1 released

SignServer v 3.2.1 was recently released. The server side (PKI) document signature server gained a lot of improvements to PDF digital signing.
Secure PDF documents are a lot more complex than you'd think at first. There are a lot of security options, and several passwords and mechanisms to protect the various security aspects.

Major new features and improvements

• Improved servlet error handling.


• Deploy documentation with application.


• Improved API for archiving.


• Support for signing PDFs with document restrictions.


• Support for: PDF permissions enforcement; modification of PDF permissions; setting PDF permission passwords.


• Refuse to certify PDFs already certified and refuse to sign when signing is not
  allowed.

Bug fixes

• Remote EJB worker interface could not be used with ECC with explicit parameters.


• Warnings printed on STDERR.


• Web service interface did not log XFORWARDEDFOR headers.


• Typo in sample configuration for PDFSigner.


• Setting healthcheck properties had no effect.


• CRL download should close streams correctly and allow for caching.


• Supplied username and password ignored in SigningAndValidationWS.


• Unit tests failed in certain situations.


• Ant target for testing individual tests did not work.


• Switching application server type did not update jndi.properties.


• JavaDoc failed to build.

SignServer 3.2.1 is a great tool to digitally sign and secure different types of documents. And of course it integrates well with EJBCA.

EJBCA - Djigzo integration

The Djigzo email encryption gateway has a new release out with easy integration with EJBCA.

Basically it allows an email encryption gateway to automatically connect to EJBCA for certificate management. This makes it possible for a truly transparent, for users, email encryption solution.

For more info see the Guide at EJBCA.org.

You can also read the full EJBCA Setup Guide over at Djigzo.com.

EJBCA 4.0.6 released

Old news by now, but I'm travelling in Asia...

It is only a minor release, but it's good to have the blog complete :-)

The PrimeKey EJBCA team is happy to announce that EJBCA 4.0.6 has been released! This is a maintenance release — 4 issues have been resolved. The most noteworthy changes can be seen below.
EJBCA 4.0.6 release notes

A maintenance release containing 3 bug fixes and 1 new feature.

New features:

• CMP, Implement message type KeyUpdateRequest.

Bug fixes:

• Fixed importing empty CRL via CLI.
• Fixed minor CMP and XSS issues.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 4.0.7 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

EJBCA 4.0.5 released

EJBCA, the Open Source Enterprise PKI, version 4.0.5 has been released.

This is a maintenance release with a few improvements and bug fixes. In all 7 issues have been resolved.

Noteworthy changes:

• Correct comparison of public key in HSM and CA certificate.
• Fixed regression during republish.
• Many small bug fixes.

View the full changelog. in our Jira.

We are currently focusing on bringing common criteria certification to EJBCA, something that will come in EJBCA 5, which is the next release that we are working on.

See the PrimeKey release news.

Regards,
The PrimeKey EJBCA Team

About the EJBCA project
EJBCA PKI is a Certification Authority and a complete enterprise PKI management system, delivered either as an integrable part or as a turnkey solution. EJBCA OCSP and EAC are sub functions of EJBCA PKI, and are used for on-line validation and ePassports.

EJBCA offers great advantages such as excellent cost-effectiveness, unmatched flexibility, complete integration – and full professional maintenance and support by PrimeKey, www.ejbca.com

Notes from the Oasis International Cloud Symposium 2011

Just home from the the Oasis International Cloud Symposium 2011 i made a few notes. The notes should not be seen as giving a view what was most interesting or most important. They are just the notes that I happened to take down, I can have missed things drinking coffee, checking email or whatever.

One conclusion is that Cloud computing promises a lot, but due to legal, security, privacy and interoperability issues use of cloud computing for more sensitive types of data is still far away.

Day 1
-----
Security loves the Cloud. In many cases organizations moving old applications to the cloud gets more secure. They get a platform managed by experts etc.
There are a lot of other security challenges in the cloud, but platform security can often become better.

Local government authorities tend to compete instead of cooperate. Due to how their organizations work and how they procure IT, they do not have any idea of what operation of their services actually cost, and they don't have a mind set of sharing (with other authorities).

Adding complexity (for seemingly increasing availability) can actually decrease availability. Having a back-up site with automatic fail over is not much point if
service work on the back up site brings the primary site down (the speaker had a real example).
(my notes, this we have also noted in practice)

PaaS cloud services can handle availability issues, but you have to spread the applications across availability zones.

Day 2
-----
Private market and government manages risk differently. Government tends to treat things as national security risks, while private views everything as a business risk and only calculates the cost.

Moving lots of things to the Cloud can increase security but also creates huge targets to concentrate on for the bad guys.

ENISA has created a book describing many different risk management methodologies.

Something missing is a way for the (cloud) customer to make informed risk assessments, such as security "grades" or checklists of the cloud provider.

There is a need for, in many applications, of stronger authentication (than the usual username/pwd). The are wide-spread PKI eId infrastructures deployed ready to be used.
Many examples of security breaches would have been considerably more difficult with the use of PKI authentication.

XACML is a flexible authorization framework that makes things better and more flexible. It can de-couple, and centralize, authorization decisions from the apps themselves.

Security audit is essential for real cloud operations.

Privacy issues are important. Users personal data needs protection using technical, business and policy means. There is no single silver bullet, but all areas are needed.

Currently processing of personal data in public clouds is not possible due to data protection reasons.

There is a lot of legal impediments to successful cloud implementations.

An interesting figure is that 50% of all productivity gains (economics, GNP).

Technology issues in cloud computing are mostly solved, or will be solved soon. Remaining issues that are harder are QoS, SLAs, data ownership and jurisdiction.
There are many issues in the legal arena.

Day 3
-----
There are several cloud reference architectures out there. ISO is trying to combine them into one, but there will probably be several for different areas (IT, telecom etc).

EGI (European Grid Initiative) is aligning with NIST and will deploy a federated cloud in Europe.

Microsoft showed a commercial video, a bit of track imho...

Anil Saldhana of RedHat described the work that the IDCloud TC of Oasis is doing with use cases.

There is a lot of standardization efforts in the cloud area. All different standardisation organizations are trying to figure out what of all this is their part to work on.
Everyone is approximately pulling in the right direction but it will take some time before the dust settles and everyone figures out where they can best contribute.

The standardization process must be Open!

IEEE is working on Inter cloud protocols. ISO is looking at a higher level starting with common terminology and reference architectures.

GICTF is trying to find the best of other standard organizations to work with.

IGTF operates as a global CA for, the OGF.