This one of a series of a messages describing new features in Isode R14.4, scheduled to ship in April 2009. You can see all of the messages on this blog relating to R14.4 by clicking on this link
There is a close relationship between X.509 PKI (Public Key Infrastructure) and X.500/LDAP directory. It is common practice to store certificates, CRLs (Certificate Revocation Lists) and other PKI information in a directory. For a complex PKI with multiple Certification Authorities (CAs) there will be many entities publishing related information into the directory. This can be complex. Isode provides tools to manage PKI information in the directory with two types of target user:
Those deploying Isode products, which make use of PKI to support digital signatures for a number of peer authentication and other security features. This is part of the management tool set in support of an Isode deployment.
Those operating a PKI for other purposes, and simply using Isode servers to hold the data.
R14.4 adds a number of capabilities to make these tasks easier. Sodium has significantly enhanced display of PKI objects and in particular Certificates and CRLs in order to make more useful information available to the manager.
As a part of Certificate display, Sodium provides an option to verify the certificate. This will be done using trust anchors and other verification settings from the bind profile, so multiple profiles can be defined to give different checking environments. The checks use the same verification libraries as the Isode client and server products, so this is helpful to diagnose authentication configuration problems with Isode servers, as well as general purpose checking of PKI correctness.
The following screenshots show display of information in a CRL, and certificate verification in Sodium.
EEMA was founded in 1987 as the European Electronic Messaging Association, mirroring the now defunct EMA. EEMA has continued with a loyal group of supporters and shifted focus with industry trends. It's focus is now Electronic Identity, and we recently attended the two day European e-Identity Conference in The Hague.
EEMA is outsourcing its operations, which is working well. This change has restored its finances to a sound footing. There are regular meetings around Europe and special interest groups.
There was an attendance of almost 200, and a good selection of worthwhile talks. Corporate membership is low cost, and worth considering for organizations and individuals interested in Electronic Identity.
As flagged up in previous blog posts, R11.2 incorporates a number of significant changes to our product:
With R11.2 we've introduced support for X.509 based strong authentication, also referred to as X.509 PKI (Public Key Infrastructure). The X.509 standard specifies the standardized information contained within a digital certificate, support for X.509 is an important element in our directory support for PKI systems.
We've has enhanced M-Vault's directory product to include strong authentication between servers for directory chaining (X.500 DSP) and directory replication (X.500 DISP). Strong authentication is provided for client access using both LDAP and X.500 DAP. A new white paper describes the benefits of this security.
To smooth the adoption of Strong Authentication we've built our own, easy to use Certificate Authority (CA) - the Isode MiniCA which contains all the necessary functionality needed to process Certificate Signing Requests, issue and revoke certificates and generate certificate revocation lists. More information on our Strong Authentication infrastructure can be found here. Our servers can also be used with commercially available Certificate Authorities like Entrust and RSA Keon.
Military & Aviation
Two of our major markets are military and aviation (AMHS) messaging, based on the X.400 standard. With R11.2 we've included easy setup options for X.400 content types utilized by military and aviation messaging systems as well as extended our X.400 routing to enable the use of wildcards, allowing an MTA (Message Transfer Agent) to use matches on part of an O/R address to decide where a message is routed to.
Directory Client API
The aviation and military markets will also benefit from changes to our Directory Client API, which now supports both X.500 DAP and LDAP (Lightweight DAP) allowing a single application to mix DAP and LDAP calls. Developers working in these sectors are often required to produce applications conformant to DAP but which might also be used with LDAP.
All of our messaging servers support directory-based configuration, having all configuration information stored in a directory from where it can be shared between messaging servers. We've improved our support for directory-based configuration in R11.2 resulting in changes to each of our three Internet servers: M-Switch, M-Vault and M-Box.
M-Switch has adopted the LDAP Schema for Intranet Mail Routing (LASER) which defines an approach to 'last step' mail routing. Amongst the benefits of LASER is that it allows M-Switch to perform email address checking on the boundary of an organization cutting down on server load when dealing with invalid addresses.
We've also implemented LDAP Proxied Authorization Control (Proxy Auth) in M-Vault. Proxy Auth is used where a server wishes to perform directory operations on behalf of another user. M-Box can use Proxy Auth to get information from the directory on IMAP and POP users, simplifying setup and management.
More details on the new release, together with links to supporting whitepapers, can be found on the 'Latest Release' page of the our website.
We're seeing an increasing number of large scale, complex Public Key Infrastructure (PKI) projects comprising a number of inter-related Certification Authorities (CA's).
When PKI projects increase in complexity so do the requirements placed on directory. As the PKI is distributed, it makes sense to distribute the directory that supports these complex projects.
The latest whitepaper published on our site looks at the directory requirements to support a complex PKI and what is needed to
provide such a directory service. The paper is public access and can be found here.