June 03, 2009

Steve Kille speaking at e-Identity conference


Isode CEO Steve Kille will be speaking at the European e-Identity Management Conference in London taking place on the 25/26 June 2009.

Steve's talk on "ICAO Master Lists and Passport Verification using PKI" will take place on day two of the conference at 11:00am. The full conference program can be found here in PDF format.

We'll publish a sumary of Steve's talk, including slides, the week following the event.

Full conference details can  be found at http://www.revolutionevents.plus.com/eema/

Posted by Will Sheward on June 03, 2009 in PKI | | Comments (0) | TrackBack (0)

Digg This | Save to del.icio.us

March 26, 2009

Isode R14.4: PKI Display and Checking

This one of a series of a messages describing new features in Isode R14.4, scheduled to ship in April 2009. You can see all of the messages on this blog relating to R14.4 by clicking on this link



There is a close relationship between X.509 PKI (Public Key Infrastructure) and X.500/LDAP directory. It is common practice to store certificates, CRLs (Certificate Revocation Lists) and other PKI information in a directory. For a complex PKI with multiple Certification Authorities (CAs) there will be many entities publishing related information into the directory.  This can be complex. Isode provides tools to manage PKI information in the directory with two types of target user:

  1. Those deploying Isode products, which make use of PKI to support digital signatures for a number of peer authentication and other security features. This is part of the management tool set in support of an Isode deployment.
  2. Those operating a PKI for other purposes, and simply using Isode servers to hold the data. 

R14.4 adds a number of capabilities to make these tasks easier. Sodium has significantly enhanced display of PKI objects and in particular Certificates and CRLs in order to make more useful information available to the manager.

As a part of Certificate display, Sodium provides an option to verify the certificate.  This will be done using trust anchors and other verification settings from the bind profile, so multiple profiles can be defined to give different checking environments.  The checks use the same verification libraries as the Isode client and server products, so this is helpful to diagnose authentication configuration problems with Isode servers, as well as general purpose checking of PKI correctness.

The following screenshots show display of information in a CRL, and certificate verification in Sodium.


Screenshot-Revoked Certificates
Certificate Revocation List


Screenshot-Sodium
Certificate Verification in Sodium


Screenshot-CertificateVerification result  
Certificate Verification Result

Posted by Will Sheward on March 26, 2009 in Directory, Management Tools, PKI, R14.4 | | Comments (0) | TrackBack (0)

Digg This | Save to del.icio.us

June 19, 2008

EEMA has found a new role

EEMA was founded in 1987 as the European Electronic Messaging Association, mirroring the now defunct EMA.  EEMA has continued with a loyal group of supporters and shifted focus with industry trends.   It's focus is now Electronic Identity, and we recently attended the two day European e-Identity Conference in The Hague.

EEMA is outsourcing its operations, which is working well.  This change has restored its finances to a sound footing.    There are regular meetings around Europe and special interest groups.

There was an attendance of almost 200, and a good selection of worthwhile talks.   Corporate membership is low cost, and worth considering for organizations and individuals interested in Electronic Identity.

- Steve Kille, CEO.

Posted by Will Sheward on June 19, 2008 in Directory, PKI | | Comments (0) | TrackBack (0)

Digg This | Save to del.icio.us

November 11, 2005

R11.2 released

As flagged up in previous blog posts, R11.2 incorporates a number of significant changes to our product:

Strong Authentication

With R11.2 we've introduced support for X.509 based strong authentication, also referred to as X.509 PKI (Public Key Infrastructure). The X.509 standard specifies the standardized information contained within a digital certificate, support for X.509 is an important element in our directory support for PKI systems.

We've has enhanced M-Vault's directory product to include strong authentication between servers for directory chaining (X.500 DSP) and directory replication (X.500 DISP). Strong authentication is provided for client access using both LDAP and X.500 DAP. A new white paper describes the benefits of this security.

To smooth the adoption of Strong Authentication we've built our own, easy to use Certificate Authority (CA) - the Isode MiniCA which contains all the necessary functionality needed to process Certificate Signing Requests, issue and revoke certificates and generate certificate revocation lists. More information on our Strong Authentication infrastructure can be found here. Our servers can also be used with commercially available Certificate Authorities like Entrust and RSA Keon.

Military & Aviation

Two of our major markets are military and aviation (AMHS) messaging, based on the X.400 standard. With R11.2 we've included easy setup options for X.400 content types utilized by military and aviation messaging systems as well as extended our X.400 routing to enable the use of wildcards, allowing an MTA (Message Transfer Agent) to use matches on part of an O/R address to decide where a message is routed to.

Directory Client API

The aviation and military markets will also benefit from changes to our Directory Client API, which now supports both X.500 DAP and LDAP (Lightweight DAP) allowing a single application to mix DAP and LDAP calls. Developers working in these sectors are often required to produce applications conformant to DAP but which might also be used with LDAP.

Our growing ISP market will benefit from product changes that further our stated directory vision of 'One Directory Entry - One Person - One Account'.

Directory based configuration

All of our messaging servers support directory-based configuration, having all configuration information stored in a directory from where it can be shared between messaging servers. We've improved our support for directory-based configuration in R11.2 resulting in changes to each of our three Internet servers: M-Switch, M-Vault and M-Box.

M-Switch has adopted the LDAP Schema for Intranet Mail Routing (LASER) which defines an approach to 'last step' mail routing. Amongst the benefits of LASER is that it allows M-Switch to perform email address checking on the boundary of an organization cutting down on server load when dealing with invalid addresses.

We've also implemented LDAP Proxied Authorization Control (Proxy Auth) in M-Vault. Proxy Auth is used where a server wishes to perform directory operations on behalf of another user. M-Box can use Proxy Auth to get information from the directory on IMAP and POP users, simplifying setup and management.

More details on the new release, together with links to supporting whitepapers, can be found on the 'Latest Release' page of the our website.

Posted by Will Sheward on November 11, 2005 in AMHS, LDAP, PKI, Product Announcement, X.500, X.509 | | Comments (0) | TrackBack (0)

Digg This | Save to del.icio.us

July 21, 2005

New Isode Whitepaper on PKI

We're seeing an increasing number of large scale, complex Public Key Infrastructure (PKI) projects comprising a number of inter-related Certification Authorities (CA's).

When PKI projects increase in complexity so do the requirements placed on directory. As the PKI is distributed, it makes sense to distribute the directory that supports these complex projects.

The latest whitepaper published on our site looks at the directory requirements to support a complex PKI and what is needed to provide such a directory service. The paper is public access and can be found here.

Posted by Will Sheward on July 21, 2005 in PKI, Whitepapers, X.509 | | Comments (0) | TrackBack (0)

Digg This | Save to del.icio.us