CONTENTS
- CDSA Newsletter: What's it all about
- CDSA Awareness Days: Follow-up
- Future Events
- The Revised CDSA Specification
- Remote Authority Services through CDSA: the new PKIX3 interfaces
- CDSA and UAS, HA-API and BioAPI
- Product News: Hewlett-Packard & AT&T
- Product News: Bull
- Personalia
- Contact Information
- Contributions
- Future Issues of the CDSA Newsletter
CDSA-Newsletter: What's it all about?
Welcome to the first issue of the CDSA Newsletter. This newsletter is designed to meet the demand for continuing information about the Common Data Security Architecture (CDSA) following the success of the CDSA Awareness Days co-sponsored by Intel, IBM and The Open Group. It is distributed by email and via the Web, will carry news and information about CDSA, and will be issued as and when articles become available. Each issue will comprise just a few pages, making it easy to digest. Longer articles will be serialized, or summarized in the newsletter and made available from the Web. We also anticipate publication of a number of white papers.
The following experts have agreed to serve on an Advisory Board:
- Mike Premi and John Wilson from Intel
- Bill Franklin and Mike Muresan from IBM
- Mike Jerbic from Hewlett-Packard
- Aram Perez from Apple.
The CDSA Newsletter is written for a number of different audiences. It will help CIO's and their reports to understand the merits of CDSA. It will also help software developers. Most of the articles will assume some technical knowledge and an appreciation of security needs.
CDSA Awareness Days: Follow-up
Intel Corporation, IBM and The Open Group sponsored the Common Data Security Architecture (CDSA) Awareness Days. These one-day seminars attracted software developers, integrators, and IT decision makers from over 200 companies. The two seminars which took place in Washington, DC and San Francisco, included presentations from several vendors including Apple, Compaq, Cylink, Hewlett Packard, IBM, Intel, Lotus, and The Open Group. PDF versions of the presentations can be downloaded from http://www.cdsasecurity.com/cdsa aware.htm
The upcoming Quarterly Conference of The Open Group in Montreal (from 19th July) has Privacy and the Global Enterprise as its main theme. The Security Program Group meets to examine the proposals for an API to biometric devices (see below) and to discuss a number of topics related to CDSA, including testing, conformance, and branding. Further details of the Conference can be found at http://www.opengroup.org/conference
We hope to announce a new schedule of CDSA Awareness Days in the next issue of the CDSA Newsletter.
The Revised CDSA Specification
The current version of the CDSA Technical Standard was published in November 1997. Development and deployment experience among platform vendors and application developers during 1998 has led to a revision of the CDSA specification by members of The Open Group's Security Program Group. The revision extends current CDSA features to embrace other industry standards efforts in the following areas:
- Remote Certification Authority Services
- Basic privilege and authorization mechanisms to support corporate and government policies on cryptography and security services
- Use of generalized credentials by human users
- Performance enhancing features for manipulating certificates and certificate revocation lists
The revised specification completed its formal Company Review by The Open Group in March 1999. While all voting points passed with the Open Group-required 75% majority, a few ballot items did not achieve unanimous agreement. To this end, Intel (as the primary sponsor of the CDSA specification) worked with members of the Security Program Group to achieve a unanimously supported resolution to all ballot points.
We are pleased to report that an agreed proposal has been put forward and accepted by the members of the Security Program Group. The revised specification is awaiting final ratification by The Open Groups Board of Approvals in late June. The Open Group will publish the revised and ratified CDSA specification in July 1999.
The existing specification can be found at: http://www.opengrou p.org/publications/catalog/c702.htm and the URL for the new version will be http://www.opengrou p.org/publications/catalog/c902.htm
Remote Authority Services through CDSA - the new PKIX3 interfaces
Denise Ecklund (Intel) gave a presentation at the recent Open Group Quarterly Conference near Copenhagen, covering the new requirements that PKIX3 presents for the CDSA Certification Authority (CA) Interfaces. The CDSA Technical Standard of November 1997 provided interfaces for CA services that issue certificates to clients, known as an end-entity (EE). The CDSA CA services have been extended to cover certificate revocation, on-line verification, suspension and release, notarization, and reclamation of use of private keys. The CDSA interfaces are extensible so access to new CA services can easily be added to meet future needs. Denise said that the CDSA design approach is to retain the three-party model (CA, RA, EE), define a few generic extensible APIs to encapsulate existing protocols (such as PKIX-3, PKCS#10), and to specify service-specific data structures. Denise described the proposed authenticated client-to-authority calls (SubmitRequest RetrieveResult ConfirmResult) and the currently defined ServiceIDs. She outlined the service-specific types and structures, and showed examples of the CertIssue and CertChange operations. These services require authentication of the client requesting the service. She also covered the "free", non-authenticated client to Registration Authority calls - FormRequest, FormSsubmit - and the currently defined FormTypes. The result of this work is a consistent set of remote service interfaces that can encapsulate other industry standard protocols and data formats for accessing CA services.
Copy of Denise Ecklunds' slides
CDSA and UAS, HA-API and BioAPI
At the recent Open Group Quarterly Conference near Copenhagen, John Wilson (Intel) gave a status report on the positioning of the User Authentication Service (UAS) API as an elective service within CDSA. He described the Human Authentication API (HA-API) which has been under development by the industry for two years. There are implementations and products in the market based on this API. John explained the work of the BioAPI consortium, which has been re-organized as a merger of the former BioAPI consortium and the HA-API Working Group. The BioAPI consortium is working to merge the UAS HA-API and previous work of the BioAPI consortium work to produce a unified Biometric API.
The Intel UAS specification incorporates and extends HA-API within the CDSA environment. Intel proposes to submit the resulting specification to The Open Group Fast-Track process for adoption as Version 1 of a UAS Technical Standard. The BioAPI specification, when completed in twelve months time, will then be a candidate for merger with the UAS Standard.
There was considerable supporting discussion amongst members of The Open Group's Security Program Group regarding the merits of this approach. John Wilson's slides are available here. Members of the Open Group can review the minutes of the session on The Open Group web site.
Product News - Hewlett-Packard and AT&T
HP ADDS COMMON DATA SECURITY ARCHITECTURE (CDSA) TO HPUX 11 AND LICENSES AT&T CRYPTOGRAPHIC LIBRARIES
Tools Simplify Development and Export of Secure Ecommerce Applications.PALO ALTO, Calif., June 16, 1999 Hewlett Packard Company and AT&T today announced immediate availability of CDSA (Common Data Security Architecture), The Open Group standard software security framework, for HPUX(1) 11, HPs business critical proven 64bit UNIX(R) operating system.
HP also announced an agreement to license AT&T encryption technology for three CDSA Cryptographic Service Providers (CSPs). This added capability gives application developers a comprehensive set of encryption and public key infrastructure (PKI) application interfaces to simplify and reduce the cost of secure application development. The new security package, HP Praesidium CDSA Version 1.2, will be available at no charge to all HPUX 11 customers.
"HP customers need rock solid security across their business applications and IT infrastructure," said Patrick Rogers, worldwide marketing manager of HPs Business Critical Computing Business Unit. "CDSA makes it easy for HPUX 11 developers to incorporate strong security features into their applications and distribute them worldwide. HP continues to deliver on its promise to provide a high performance, end-to-end secure computing environment."
HP Praesidium CDSA Version 1.2 is included at no charge on the HPUX 11 Application Release CD, which is available now to all HPUX 11 customers.
Footnote (1). HPUX Release 10.20 and later and HPUX Release 11.00 and later (in both 32 and 64bit configurations) on all HP 9000 computers are Open Group UNIX 95 branded products. UNIX is a registered trademark of The Open Group.
The above was extracted from the full press release
The Internet has evolved computing into an information ecosystem. In order to protect information assets in this hyper-connected world, platforms, operating systems, and applications must be enhanced to include a comprehensive, robust, and interoperable set of security services.
Linux, one of the new operating systems of the Internet age, is a UNIX-like operating system created by Linus Torvalds. By harnessing the assistance of developers around the world, Linux has incorporated many advanced features including true multitasking, virtual memory, shared libraries, demand loading, memory management, and TCP/IP networking. By leveraging its virtual worldwide development team, Linux may soon provide clustering and a journaled file system, ultimately making Linux a compelling, and less expensive alternative to other "business critical" operating systems.
On June 17, Bull S.A., an International IT group head quartered in France, announced at the Linux Expo in Paris that they have licensed the international version of Common Security Services Manager (CSSM 2.0) reference implementation from Intel Corporation. CSSM is the core framework of the Common Data Security Architecture (CDSA). "CDSA together with our high speed cryptographic components will provide the Linux community with a very powerful combination for the development of trusted business applications", commented Paul Bennett, Manager of Bulls Secure Internet Server Business Line.
This announcement from Bull marks the first worldwide implementation of the Common Data Security Architecture (CDSA) on the Linux operating system. Hervé Mouren, President of Bull's Server Division stated that, "CDSA is the industry standard for application developers to integrate robust security capabilities into their applications today."
Later this year, Bull will be delivering a range of Intel-based secure ecommerce appliances designed to provide robust, high speed cryptographic services for Internet-based transactional environments. By using CDSA, Bull will be able to ensure that these appliances are easy to integrate into existing security-enabled environments, and will also assist third party suppliers to provide "value added" plugins to address specific customer requirements. CDSA is the infrastructure that Bull will use to provide strong, non-limited encryption for its European customers.
CDSA, created by Intel, is a leading security framework for the development of security-enabled applications that are interoperable, extensible, and offer cross platform support. Established as an industry specification by The Open Group and adopted by a wide range of technology companies, CDSA enables developers to quickly and easily create advanced, security-enabled applications for Ecommerce, trusted communications, and distribution of high value digital content over the Internet.
For details of Bulls product offerings, please contact Catherine Beaufils: catherine.beaufils@bull.net
The press release is available here.
Denise Ecklund (Intel) has told us that she is taking leave of absence from Intel. We have invited John Wilson to take her place on the CDSA-Newsletter Advisory Board and use these columns to wish Denise well and to thank her for her work, especially on the revision of the CDSA Specification.
Primary sources of information about CDSA include the Intel and IBM website, as well as The Open Group site. CDSA Awareness Days and other information are also available at http//www.cdsasecurity.com.
We are in the process of building a comprehensive list of contacts and sources, principally CDSA licensees. Below is a preliminary list. We would like to add CDSA and/or CDSA product specific URLs and email contacts, and welcome help in gathering this information.
- Apple
http://www.apple.com- AT&T
http://www.att.com- Baltimore
http://www.baltimore.com- Bull
http://www.bull.com- CDSA
http://www.cdsasecurity.com- Certicom
http://www.certicom.com- Chrysalis
http://www.chrysalis.com- Compaq
http://www.compaq.com- Cylink
http://www.cylink.com- Digital Persona
http://www.digitalpersona.com- IBM
http://www.ibm.com and http://www.ibm.com/security/cryptoproducts- Intel
http://www.intel.com and http://www.intel.org/ial/security- ISG
http://www.veriguard.com- Lotus
http://www.lotus.com- Motorola
http://www.motorola.com- Rainbow
http://www.rainbow.com- RSA
http://www.rsa.com- The Open Group
http://www.opengroup.org- Valicert
http://www.valicert.com- Veridicom
http://www.veridicom.comYes, we would be happy to receive contributions to the CDSA Newsletter and these can be sent via any member of the Advisory Board. All submissions will be considered for publication though they will be subject to review and minor editing prior to publication. Naturally, we reserve the right not to publish.
We are equally keen to learn what you would like to see in the CDSA Newsletter. So please send us an email suggesting items you would like to read about or subjects you'd like explained.
Future Issues of the CDSA-Newsletter
The CDSA Newsletter is free-of-charge and will be widely circulated.
The CDSA Newsletter is edited by Phil Holmes and published by The Open Group. Copyright(R) The Open Group, 1999.