A Tale of Two Open Source Cryptography Projects Bouncy Castle

http://www.bouncycastle.org and

EJBCA
http://www.ejbca.org

BouncyCastle
Set of cryptographic libraries used by developers in Java and C#. Deals with provisioning of cryptography services, also support for certificate handling, secure messaging, SSL/TLS, and time stamping.

EJBCA
PKI Certificate Authority, enterprise java application issuing and managing digital certificates. Uses BouncyCastle library for low level functions.

Bouncy Castle Overview

Website: http://www.bouncycastle.org Founded in May 2000. Now has around 20,000 downloads a month, including 5000 of the full Java distribution. Originally just Java, C# API added in 2006. Original Java API around 27,000 lines including test code. Provided support for J2ME, a JCE/JCA provider, and basic X.509 certificate generation. Latest Java release, 1.41, 267,000 lines including test code. Supports same functionality as original release (with a larger number of algorithms) plus PKCS#10, PKCS#12, CMS, S/MIME, OpenPGP, TLS, OCSP, and Attribute Certificates. C# API around 145,000 lines. Supports most of what the Java API does. Strong emphasis on standards compliance and adaptability. Public support facilities include an issue tracker, dev mailing list, and a wiki all available at the website. Commercial support provided at http://www.lockboxlabs.com Other resources, such as third party products, or extensions, built on Bouncy Castle, as well as books and articles are listed on the resources pages: Java - http://www.bouncycastle.org/resources.html C# - http://www.bouncycastle.org/csharp/resources.html

EJBCA Overview
Website: http://www.ejbca.org Founded in November 2001. Now has around 1500 downloads every month. Originally built because BouncyCastle included certificate generation API, and J2EE was new cool technology. Originally 1 developer, currently 5 main developers plus contributors. Original code around 6000 lines including test code. Provided support for a basic certificate authority with a command line interface. Latest release, 3.8.0, 166.000 lines including test code. Supports same functionality as original release plus multiple CAs, web based Admin-GUI, different algorithms, full list of extensions, support for EAC ePassport PKI, all common PKI interfaces, enterprise features for high-availability, monitoring and security. Strong emphasis on standards compliance, adaptability and integration in organizations application environment and work-flow. Public support facilities include an issue tracker, dev mailing list, forum, IRC chat and a wiki, all available at the website. Commercial support provided at http://www.primekey.se Resources, such as used third party products, references, howtos and documentation available on website.

Bouncy Castle Usage and Development Issues

Access to Standards documents
The Bouncy Castle core developers try to place a lot of emphasis on standards compliance. However this is hampered to some degree by the costs involved in purchasing standards documents as the project is largely unfunded.

Standards Bodies need to publish freely available and thorough compliance tests
Having managed to get access to a standard, the next challenge is to produce something that is compatible with other implementations. Most standards are published with few, if any, test vectors, which almost never cover any edge conditions in the document. A considerable amount of time is lost identifying these edge conditions.

Access to certification
Governments generally require cryptography providers to be certified to some level before they can be used. This is fair enough! However the cost of certification is often so high that it effectively eliminates open source projects from being used as they cannot afford to gain certification.

EJBCA Usage and Development Issues

Open reference implementations for standards
The developers implements available open standards PKI protocols. In some cases it is difficult, or impossible to find open or freely available implementations for interoperability testing. In reality this makes large commercial companies bugs the defacto standard. Some (countries) are making definitions for what is an open standard.

EU funding

Not easy for small open source vendors to get EU funding, system is targeted for large corporations and commercial benefit. Certification costs are high and certified open source products would give both commercial and public benefit.

Interoperability

Users and customers requires interoperability with proprietary products, but obtaining that interoperability is expensive and time consuming. Support from vendors is low and support contracts expensive. Interoperability events restricted to closed groups, where open source project could be invited.

Public procurement discriminates open source

Public procurement in EU governments are often using trademarks discriminating against open source products. This is shown in an OFE study available at www.openforumeurope.org.

Those web sites again!

Bouncy Castle Project Site: http://www.bouncycastle.org Commercial Support: http://www.lockboxlabs.com

EJBCA Project Site: http://www.ejbca.org Commercial Support: http://www.primekey.se

Questions?