The Papyrus Project (Version 4)

Papyrus Project (Version 5) information will be coming soon

John Douglass, Georgia Institute of Technology (john.douglass@oit.gatech.edu)

Program Core

The CA software model called "Papyrus" is built around OpenSSL (https://www.openssl.org). The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

The goal of Papyrus is to provide CA services by designing software that is only as complex as it needs to be. Simplicity and functionality are the key to a successful adoption of certificate services in many institutions.

Software Base and Language

The following software components are currently core to Papyrus:

OpenSSL (https://www.openssl.org) - Provides the cryptographic services such as key generation and certificate signing
Apache (https://www.apache.org) - The web server

PHP (https://www.php.net) - The modules that provides PHP support for the Apache web server
ModSSL (https://www.modssl.org) - The module that provides SSL support for the Apache web server

MySQL (https://www.mysql.org) - SQL based database for certificate repository

Papyrus is written in PHP utilizing the Apache web server and MySQL as a backend repository for issued certificates.

Current Implemented Services

The software currently provides certificate services to Netscape and Microsoft Internet Explorer, but each to a different level and often times different levels based upon operating system or complexity of the browser. Published methods of how to provide certificate services to the browers do not always function for each operating system (what works on Windows may not work on the Mac version) but we are at the mercy of the browser developers in most cases of this.

The software currently is enabled to provide the following CA services:

Root certificate distribution to IE and NS
Process certificate requests from the Netscape browser and return signed certificates that can be used for:

web authentication
digital signatures
digital encryption

User certificate distribution to support digital encryption for both IE and NS

NOTE: It is possible to request a signed certificate in Netscape and then export it into Microsoft's certificate repository for use in Internet Explorer and Microsoft Outlook products.

Hardware Requirements

There is no base hardware requirements. As long as a server can run OpenSSL, Apache with PHP, and a MySQL server, it should be good enough. I've run them on Celeron 400s and Solaris Ultra2's both with success. You can make up something, but a wide variety of hardware and operating systems can run all these services.

Next Steps

The next steps in the Papyrus project will be to:

Document the matrix of what services work for which browsers in what operating system
Document certificate chain recommendations for member institutions and how to project their private-keys
Document what certificates mean to a user and to a relying party
Document how the different S/MIME clients handle digital signature and digital encryption (primarily Netscape Messenger and Outlook/Outlook Express)
Develop how to get a signed MSIE certificate back into its repository
Develop server certificate request for web/mail/other services
Develop Opera support (https://www.opera.com)
Develop some form of CRL, OCSP, or other live certificate checking process(es)

There are a number of research tasks for this software project I have in my head (not on paper) that given a select group of participating software developers and researchers would be great to work with.