Category:OWASP OpenSign Server Project

=Releases=

Version 1.0 (26st of October 08)

 * This version is working with the Java client version 1.0
 * An "About" button has been added

Version 0.5 (14th of October 08)

 * Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
 * The settins page for issuers got extended for maintaining the subordinate entities
 * Several server pages got enhanced in terms of functionality and design

Version 0.4 (28th of August 08)

 * Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
 * This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

Version 0.3 (21st of July 08)

 * Easy extendable persistence layer, which is set up using Hibernate – Annotations.
 * Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
 * Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
 * Same functionality as version 0.2 from a user point of view.

Version 0.2 (14th of July 08)

 * Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
 * End-users may issue a certificate sign request and obtain the certificate in return.
 * Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
 * Possibility for registering new end-users and issuers.
 * Session handling - login, logout of users
 * Storage of issuer key-pair's and all certificates in server side key store.
 * Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
 * - in binary format (default): http://localhost:8080/root?property=cert
 * - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
 * User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

Version 0.1 (1st of July 08)

 * Access of root certificate via HTTP-GET http://localhost:8080/ca
 * Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

Version 1.0 (26st of October 08)

 * This version has been modified to work with the server version 1.0

Version 0.9 (28th of August 08)

 * Commands supported: "getcert", "verifycert" and "csr"

=Roadmap=

OpenSign Server
Goal

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

Version 0.1

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

Version 0.2

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

Version 0.3

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

Version 0.4

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

Version 0.5

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

Version 1.0

Well tested and documented PKI for code signing which is running online at: www.???.com. This is the goal for Summer of Code 2008!

Version 2.0

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

Java Client
Version 1.0

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

.NET Client
TBC