Public Key Infrastructure is too expensive,
today, for what customers get in return for deploying it.
Reed-Matthews, Inc. is determined to change that.
On this page, we document some of the PKI resources we've found. Perhaps
they'll be of use to you, too. This is by no means complete. But it's
a useful start.
Open Source CAs
There are several open source code bases under active development today.
- EJBCA - JAVA Enterprise
Java Beans Certificate Authority: Looks like a very interesting project.
Would integrate it with something like WebSphere or WebLogics to create
the customer-located services
OpenSSL - includes a command-line
CA capability for minting certificates. Probably the most widely deployed
SSL implementation in the Linux / Open Source space
OpenCA - is a suite of wrapper
scripts and web interfaces for the OpenSSL
CA code, to fill out the CA offering to include an OCSP responder,
integration with a directory, Apache web server, etc.
- from Peter Gutmann
- that includes CA, OCSP, etc. client and responder functions as well
as signers, etc. implemented with a security-monitor architecture to
govern key usage and other policies associated with the crypto. It looks
like it's something you could create a CA product from.
In addition to OpenSSL and Cryptlib, here are some useful SDKs and frameworks
for working with PKI stuff:
- Intel's CDSA
- their open source crypto middleware framework that's the basis of
many of the Unix and standards bodies efforts to organize such things.
- ASN.1 compiler originally developed at the Univiersity of British
Columbia, as updated by the folks at Getronics
for the NIST Federal
Bridge CA project
- CML - the
certificate management library, which is a cert chain verification sdk
that knows how to interoperate with several tested products, and with
- ACL - the
Access Control Library, used to implement MISSI SDN.801 "Access
Control Concept and Mechanisms" for label-based data handling policies
(ala Defense Messaging Services - DMS, and its S/Mime equivalent), from
- S/Mime Free Library, which is what it says, an S/Mime library for
implementing DMS, really, from Getronics