[Image] --------------------------------------------------------------------------- PASSWORD - Piloting a European security infrastructure for network applications --------------------------------------------------------------------------- PASSWORD was a project funded by the EC VALUE programme 1992 to create a security infrastructure based on X.509 technology for the research community in Europe and to pilot secured applications with users. The seven partners included a mix of software houses, research organisations and universities from three national consortia in the UK, France and Germany. The project organisation was based nationally, partly around specific software developments, and partly in case there were regulatory difficulties in exporting the software so that only interworking might be achieved. The consortia proposed interworking their OSI-based security toolkits (the German Secude, the British Osisec and the French Mavros/Chimera toolkits) and developing a common understanding of requirements and policies necessary for the user pilot. An important aspect of the project was the use of the existing X.500 infrastructure to register certification authorities (CAs) and public key. This aspect is not vital to security pilots; it iscrucial however to large-scale, open deployment. Part of the project plan was to create a suite of secured applications from each consortia to be used in conjunction with the toolkits, The project successfully demonstrated interoperability between these heterogeneous secured applications which included X.400, X.500, PEM and ODA. Once completed, the software was made widely available. The PASSWORD pilot began in July 1993 and attracted interest from across Europe, the United States and Japan. Deployment was not limited to the research community and demonstrated some of the complexities both technical and otherwise involved in making the technology work. Aims and Accomplishments of the PASSWORD Project The PASSWORD project was the first pilot of a number of different implementations of important applications of security services. The principal aims were the following: * - to show that a number of different security toolkits could be made to interwork; * - to develop a number of different secured applications - based on the different toolkits - and to show that they would interwork. The applications were directories, email, structured document contents and connections; * - to deploy a security infrastructure, ensuring that the relevant certificates used the PARADISE directory infrastructure; * - to pilot the applications with substantial numbers of users in the R+D community; * - to document the security requirements and security policies. Initially it was expected to deploy the systems only in the countries of the partners: France, Germany and the UK. Although the number of pilot sites is more limited than envisaged at the start of the project, there is deployment, currently or planned, in a spread of countries including the following: Ireland, Italy, Japan, the Netherlands, Norway, Portugal, Slovenia, Spain, Sweden and the US. It was intended that the industrial members of the PASSWORD consortia might commercialise the software produced; encouragingly, a much wider set both of commercial companies and research organisations are adopting the software. Secured Application Development and Interworking In the original proposal it was planned to pilot five secured applications: X.400 (88) mail. X.500 directories, Internet Privacy Enhanced Mail (PEM), ODA over X.400 (84) and ACSE. All three consortia provided X.400 (88), X.500, and PEM. As expected, only the British provided the ODA/X.400 (84), and both the British and French provided ACSE. The last two were never deployed, because there has not yet been much demand even for the unsecured versions. Application Deployment While there is deployment in a number of important communities, and further insullations are planned, the deployment in the R+D community has been limited for interesting reasons. Commercial interest in the PASSWORD results is evidenced by the partners having obtained significant further development and deployment contracts for sizeable security pilots, both in the defence and commercial sectors. Deployment of secure X.400 (88) has been virtually non-existent; there is very little use of X.400 user agents - even in the unsecured versions - in the research community. Similar considerations apply to the ODA application; only the latest version, with security in parts of documents, offers real functional advances. Again, even unsecured ODA is hardly deployed in the research community. There is a need to deploy secure directories - but security needs arise either from legislation about privacy or from commercial considerations. In neither case has a sufficient demand yet built up in the R+D community. There are still regulatory problems in some countries; for example, even since the PASSWORD project started, French legislation on security and privacy has tightened. It now requires specific permission from the relevant French security agency to deploy encrypted message services. Secured directories are a recognised requirement, but the whole deployment picture of X.500 is patchy. Regulatory considerations have precluded large-scale deployment of X.500 systems in Germany. The British may deploy secured X.500 systems eventually in the academic community - but the decision will have to be made by the national research network authorities, not in a single project like PASSWORD. Software Availability All software developed under the project and available is listed below. Where software is offered by anonymous ftp, the availability is restricted to non-commercial use. For commercial use contact the person overleaf. Germany: By anonymous ftp from darmstadt gmd.de Security-Toolkit: SecuDE Applications: X.500 (QUIPU with dish, secure de) PEM (PEM library functions, PEM filter utility, PEM integration into mh, xmh, elm) France: Available on request from TS-E3X Security-Toolkit: MAVROS with Chimaera Applications: X.400 (UCOM.X 400), X.500 (UCOM.X 500) UK: By anonymous ftp from cs.ucLacuk in /osisec Security-Toolkit OSISEC v2.3 (requires IC-RI ) Applications: X.500 ( QUIPU with dish or de), PEM ( XPEM, PEM filter utility, PEM integration into mh), ODA (DOCSEC). Available on request from NEXOR: X.400: PP with the SecXUA user agent PASSWORD Documentation By anonymous ftp from cs.ucl.uk in /password * - Security Policy (X.400, X.500, ODA, ACSE) * - CA Requirements * - User Requirements * - Administrators and Users Report * - Enhancement to User Agents * - General Evaluation Report Contacts German consortium: G M D Institute for Telecooperation Technology Wolfgang Schneider (photo) Dolivostr. 15 D-64293 Darmstadt Tel.: +49 6151 869 700 Fax: +49 6151 869 785 E-mail: W.Schneider@gmd.de Partners: GMD Darmstadt, Danet GmbH Darmstadt British consortium: U C L Department of Computer Science Peter Kirstein Gower Street London WC1E6BT Tel.: +44 71 380 7286 Fax: +44 71 387 1397 E-mail: P.Kirstein@cs.ucl.ac.uk Partners: UCL London, Nexor Ltd Nottingham, University of Cambridge French consortium: TS-E3X Alain Zahm Les Algorithmes Batiment Pythagore A Route des Lucioles 06560 Valbonne Tel.: +33 93 65 34 65 Fax: +33 93 65 34 38 E-mail: zahm@osi.e3x.fr Partners: INRIA Sophia Antipolis, E3X Valbonne ------------------------------------------------------------------------------- [Image] schneider@darmstadt.gmd.de [Image] Security Home Page ------------------------------------------------------------------------------- last modified: Thursday, 27-Apr-1995