The Papyrus Project (Version 4)
Papyrus Project (Version 5) information will be coming soon
John Douglass, Georgia Institute of Technology (firstname.lastname@example.org)
The CA software model called "Papyrus" is built around OpenSSL (http://www.openssl.org).
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade,
full-featured, and Open Source toolkit implementing the Secure Sockets
Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
as a full-strength general purpose cryptography library. The project is
managed by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related documentation.
The goal of Papyrus is to provide CA services by designing software
that is only as complex as it needs to be. Simplicity and functionality
are the key to a successful adoption of certificate services in many institutions.
Software Base and Language
The following software components are currently core to Papyrus:
Papyrus is written in PHP utilizing the Apache web server and MySQL as
a backend repository for issued certificates.
Current Implemented Services
The software currently provides certificate services to Netscape
and Microsoft Internet Explorer,
but each to a different level and often times different levels based upon
operating system or complexity of the browser. Published methods of how
to provide certificate services to the browers do not always function for
each operating system (what works on Windows may not work on the Mac version)
but we are at the mercy of the browser developers in most cases of this.
The software currently is enabled to provide the following CA services:
NOTE: It is possible to request a signed certificate in Netscape and then
export it into Microsoft's certificate repository for use in Internet Explorer
and Microsoft Outlook products.
Root certificate distribution to IE and NS
Process certificate requests from the Netscape browser and return signed
certificates that can be used for:
User certificate distribution to support digital encryption for both IE
There is no base hardware requirements. As long as a server can run OpenSSL,
Apache with PHP, and a MySQL server, it should be good enough. I've run
them on Celeron 400s and Solaris Ultra2's both with success. You can make
up something, but a wide variety of hardware and operating systems can
run all these services.
The next steps in the Papyrus project will be to:
There are a number of research tasks for this software project I have in
my head (not on paper) that given a select group of participating software
developers and researchers would be great to work with.
Document the matrix of what services work for which browsers in what operating
Document certificate chain recommendations for member institutions and
how to project their private-keys
Document what certificates mean to a user and to a relying party
Document how the different S/MIME clients handle digital signature and
digital encryption (primarily Netscape Messenger and Outlook/Outlook Express)
Develop how to get a signed MSIE certificate back into its repository
Develop server certificate request for web/mail/other services
Develop Opera support (http://www.opera.com)
Develop some form of CRL, OCSP, or other live certificate checking process(es)