A Tale of Two Open Source Cryptography Projects Bouncy Castle

http://www.bouncycastle.org and

EJBCA
http://www.ejbca.org

also support for certificate handling. SSL/TLS. ● Deals with provisioning of cryptography services. ● . and time stamping. ● Uses BouncyCastle library for low level functions. ● EJBCA PKI Certificate Authority.BouncyCastle Set of cryptographic libraries used by developers in Java and C#. enterprise java application issuing and managing digital certificates. secure messaging.

● Strong emphasis on standards compliance and adaptability.org/resources. including 5000 of the full Java distribution. C# API added in 2006. as well as books and articles are listed on the resources pages: ● Java .org/csharp/resources. 1.html ● C# . ● Original Java API around 27. 267.org ● Founded in May 2000.41. ● Public support facilities include an issue tracker. such as third party products. Now has around 20.000 lines including test code. ● Latest Java release. OCSP. Supports same functionality as original release (with a larger number of algorithms) plus PKCS#10.000 downloads a month. ● C# API around 145.bouncycastle. built on Bouncy Castle. Provided support for J2ME.000 lines.http://www.000 lines including test code. TLS. OpenPGP.html ● . PKCS#12. dev mailing list.Bouncy Castle – Overview Website: http://www.bouncycastle. ● Commercial support provided at http://www. Supports most of what the Java API does. and basic X.com ● Other resources.bouncycastle. CMS. and a wiki all available at the website. ● Originally just Java. a JCE/JCA provider. or extensions. S/MIME.509 certificate generation.http://www. and Attribute Certificates.lockboxlabs.

● Original code around 6000 lines including test code. IRC chat and a wiki. enterprise features for high-availability. dev mailing list. currently 5 main developers plus contributors. ● Commercial support provided at http://www. support for EAC ePassport PKI. all common PKI interfaces. ● Originally built because BouncyCastle included certificate generation API. Now has around 1500 downloads every month. Supports same functionality as original release plus multiple CAs.0.000 lines including test code. such as used third party products. forum.org ● Founded in November 2001.EJBCA – Overview Website: http://www. references. all available at the website. and J2EE was new cool technology. 166. howtos and documentation available on website.primekey. ● Originally 1 developer. adaptability and integration in organizations application environment and work-flow. ● Strong emphasis on standards compliance. different algorithms. 3. full list of extensions.se Resources. ● Latest release. monitoring and security. ● Public support facilities include an issue tracker.ejbca. ● . Provided support for a basic certificate authority with a command line interface. web based Admin-GUI.8.

This is fair enough! However the cost of certification is often so high that it effectively eliminates open source projects from being used as they cannot afford to gain certification. test vectors. if any. Access to certification Governments generally require cryptography providers to be certified to some level before they can be used. Most standards are published with few.Bouncy Castle – Usage and Development Issues Access to Standards documents The Bouncy Castle core developers try to place a lot of emphasis on standards compliance. the next challenge is to produce something that is compatible with other implementations. which almost never cover any edge conditions in the document. A considerable amount of time is lost identifying these edge conditions. Standards Bodies need to publish freely available and thorough compliance tests Having managed to get access to a standard. . However this is hampered to some degree by the costs involved in purchasing standards documents as the project is largely unfunded.

or impossible to find open or freely available implementations for interoperability testing. Certification costs are high and certified open source products would give both commercial and public benefit. Public procurement discriminates open source Public procurement in EU governments are often using trademarks discriminating against open source products. where open source project could be invited.EJBCA – Usage and Development Issues Open reference implementations for standards The developers implements available open standards PKI protocols.org. In some cases it is difficult. In reality this makes large commercial companies bugs the defacto standard. EU funding Not easy for small open source vendors to get EU funding. but obtaining that interoperability is expensive and time consuming. Support from vendors is low and support contracts expensive. This is shown in an OFE study available at www. Some (countries) are making definitions for what is an open standard. Interoperability events restricted to closed groups. . system is targeted for large corporations and “commercial benefit”.openforumeurope. Interoperability Users and customers requires interoperability with proprietary products.

ejbca.se Questions? .lockboxlabs.Those web sites again! Bouncy Castle Project Site: http://www.org Commercial Support: http://www.bouncycastle.com EJBCA Project Site: http://www.org Commercial Support: http://www.primekey.

Sign up to vote on this title
UsefulNot useful