OdyssiCS Update and Milestones

This morning, I logged into the SourceForge project page for OdyssiCS. I was curious to see how many downloads of the application have occurred. To my surprise, the number of downloads since release 0.1 last year has topped 800. I don't know how many of these downloads resulted in any substantial use, but it's still refreshing to know that people are at least looking at it. To all of you that have downloaded and tried OdyssiCS, thank you. And, please, give me your feedback! It will go a long way to helping me in my development.

I have been working on version 0.2 in what little spare time I have. I've been fortunate to learn a great deal about Hibernate, Spring, and general Java security since the first release. The main areas I have been focusing on for release 0.2 are:

• Security
• Ease of Administration
• Inclusion of more advanced features

Release 0.1 was rather weak in terms of security. While I did perform basic group membership checks, I realized that I was not designing for security as much as I'd originally intended. As a result, I have gutted a great deal of the original code to ensure that it is designed with security in mind from the ground up. I've also been spending a bit of time working on a secure JAAS-based application framework that I hope to have included in version 0.3.

Administration in release 0.1 was also quite lacking. In an effort to get the first release out there, I didn't spend as much time on developing an administrative interface. This includes both CA server administration, as well as certificate administration for Registration Authorities. I've sketched out quite a few ideas that I would like to incorporate into the web interface for administration. Hopefully, this will make OdyssiCS easier to deploy and maintain, making it viable for some real-world work. Additionally, for version 0.3 I plan to include an embedded Tomcat server and Windows GUI installer to make installation and configuration even easier. My plans for version 0.3 are still quite sketchy, but hopefully it will represent a really high-quality, feature-rich release.

Lastly, there was quite a bit of functionality missing in version 0.1. This is being addressed in version 0.2, starting with the use of certificate extensions and templates. Part of the power of X.509 certificates is the ability to include certificate extensions. These extensions outline additional characteristics about the certificate, such as the constraints that exist pertaining to what it can be used for, CRL information, and policies that apply to the certificate. I had some code in version 0.1 for working with extensions, but just wasn't happy with how it turned out. I shelved it, deciding it would be best for the next release. Certificate templates provide a way to define the characteristics of the different types of certificates a CA can create. For example, SSL server certificates might have different properties (extensions, validity periods, key sizes, etc.) from e-mail certificates. This will add a great deal of functionality to OdyssiCS, and I look forward to having that code completed.

Some of the features I plan on implementing for version 0.2 include:

• Certificate revocation, with full CRL support
• OCSP (Online Certificate Status Protocol) for reporting certificate revocation information
• Completely redesigned GUI for both end-entities and administrators
• Enhanced security features throughout all domains of the application
• Revised SQL schema, and SQL scripts for MySQL, PostgreSQL, and other SQL databases
• X.509 certificate extensions and certificate templates

This is just a sample of some of the things I'm working on for the next release. I don't have a timeline for it, as my free time for development has been limited. Please feel free to leave a comment if there are additional features you would like me to investigate for this release. I've already started pondering what I want for version 0.3 (XKMS, JAAS-based security framework, JMX management, etc.) so please pass on your suggestions!