MICHAEL STRÖDER |
Klauprechtstr.
11, D-76137 Karlsruhe, Germany |
A contractor position as a consultant for planning and implementing identity managment, security infrastructures (PKI, directory services) and related applications.
Planning / designing architectures and implementing mechanisms for secure usage of IT services (PKI, SSL, S/MIME, VPNs, LDAP, Identity Management, Single Sign-On, Firewalls)
Designing and implementing secure software (e.g. web applications), object-oriented software design and programming (e.g. Python)
System integration and user managment in large and complex environments
Training and workshops
Financial Institute in Stuttgart (10/2007 bis 03/2008)
Designed Single Sign-On for web applications
Implemented pilot installation of Central Authentication Service (CAS) with authentication based on MS AD via SPNEGO/Kerberos or LDAP
Federal Gonvernment Agency in Baden-Württemberg (12/2005..12/2007)
Design, pilot installation and documentation of OpenLDAP-based directory service as central repository for abstract roles and application-specific authorization data
Described processes, interfaces and use-cases for centralized user management
International Pharmaceutical and Chemical Group (02/2006..11/2007)
Designed and installed a PKI tightly integrated with Lotus Notes for securing e-mails with S/MIME
Pre-study for group-wide PKI for Windows Smartcard Logon and file encryption inclusing cost estimation, milestone planning etc.
Designed and installed concern-wide PKI
Wrote a certification practice statement (CPS) compliant with RFC 3647 for public part of the PKI
Air Cargo company (02/2007..04/2007)
Pre-study including conception and cost estimation for a single sign-on to web-based B2B-applications
documentation of existent applications
International Telecommunications Group (09/2005..04/2006)
Re-design and pilot implementation of data synchronization processes for group-wide directory service.
Evaluation and performance testing of LDAP server products (interoperability and performance tests)
International Logistics Group (09/2003..06/2005)
Designed X.509-based PKI infrastructure enabling retail systems to use digital signature for secure archival of posting data
Designed architecture for secure authentication and single sign-on at sales point systems using smartcards
Designed concept for managing users of retail systems even when systems are offline most of the time including syncing with HR systems
Resolved security-relevant topics related to accountancy with auditors
International Telecommunications Group (11/2002..09/2003)
Designed registration, self-administration and recovery procedures for Entrust-based PKI architecture
Documented experiences of integrating web and desktop applications with Entrust security architectures in a best-practice guide („cookbook“) for other projects following
Integrated X.509-based single sign-on solution (Entrust TruePass) and the LDAP-based user management into a web application
Coaching of Java developers
Workshops for administrators
International Pharmaceutical and Chemical Group (09/2001..05/2003)
Designed specific public-key infrastructure for issuing certificates used e.g. for SSL servers and machine entitities. This work included defining the certificate profile, writing the PKIX compliant certificate policy (according to RFC 2527) and certification practice statement and designing the software.
Evaluated PKI products in pilot project for VPN, single sign-on, S/MIME e-mail.
Designed, implemented and tested a corporate-wide LDAP directory for single-password user authentication. This system was designed as a central user store for internal and external users of web-based e-commerce applications and various other systems.
Various activities since 04/2001
Consulting for unified user managment process and centralized user LDAP directory for internal and external users at an international textile group.
Designed and implemented centralized, LDAP-based address book for the municipal administration of Karlsruhe. Integrated web content managment system (ZOPE) with user management of Lotus Domino via LDAP.
Held various LDAP workshops (basics, application-programming coaching).
emagine GmbH, Eschborn, Germany (10/2000 until 04/2001)
Designed PKI-related software providing value added service to financial B2B applications (e.g. Identrus compliant applications).
Designed concept for more general certificate workflow handling with arbitrary certification authorities for a Registration Authority server.
Propack Data GmbH, Karlsruhe, Germany (05/1996 until 09/2000)
Introduced, planned, installed and maintained various Internet services for internal and external communication needs which highly improved the productivity by providing an integrated concept based on open protocol standards in a heterogeneous computing environment.
Designed and set up a firewall which fulfilled the company's need for a highly secure internet connectivity.
Established a public key infrastructure with an own certificate authority for securing the usage of Internet/Intranet services with encryption techniques (X.509, S/MIME, SSL, VPN).
Installed a IPSec-based virtual private network (VPN) for reducing the communication costs by transferring the corporate IP-traffic securely via the Internet.
Introduced and deployed a directory service (LDAP) providing relevant corporate information (e.g. phone book, mail addresses, certificate data) and serving as a base for a single sign-on user authentication system.
Implemented several LDAP clients for using the LDAP directory in various services.
Open Source Projects
Designed and implemented a web-based LDAPv3 client for comfortable and secure access to LDAP servers with full support for sub schema, DNS SRV records, efficient group adminstration, etc. (see http://www.web2ldap.de).
Developing of module package for LDAP programming with Python (see http://python-ldap.sf.net). This module is sometimes also used in my customers' projects.
Implemented a PKI software accessible from web browsers (see http://www.pyca.de).
Various projects as software engineer for industrial automation and quality control (1992-1994)
Dipl.-Inform. (comparable to M.S. in Computer Science) at the University of Karlsruhe, Germany (Degree January 1999)
Diploma
thesis:
"Introduction and Deployment of cryptographic
Technologies for secure Usage of Internet Services at Propack Data
GmbH"
Relevant
Courses:
Telematics (Computer Networks, Distributed Systems),
Interactive Systems, Performance Analysis, Automation Systems
Data encryption and PKI standards
SSL, S/MIME, X.509, PKIX, IPSec
Authentication techniques
Passwords including syncing passwords, Kerberos, SASL, X.509 client certificates, PAM for Linux/Solaris
Security products
Entrust Authority, Cybertrust UNICERT (formerly Baltimore UNICERT), Windows Certificate Services, Lotus Domino CA, RSA Keon CA, Netegrity Siteminder, OpenSSL, Central Authentication Service (CAS)
Network services
Directory services:
OpenLDAP, iPlanet/Netscape/SunONE Directory
Server, Novell eDirectory, MS Active Directory, IBM/Tivoli Directory
Server, CA eTrust Directory, Siemens DirX, Lotus Domino/LDAP
SMTP-based e-mail services:
postfix, sendmail, qmail, fetchmail
WWW:
Apache, Squid with LDAP, FastCGI, SCGI, mod_python
File server with LDAP support (SMB/Samba, NFS)
PowerDNS with LDAP backend
Operating Systems:
Linux, Windows NT/2000/XP, Solaris, OS/2, MS-DOS
Software development skills and tools
Python, Pascal, Modula-2, Shell-scripting, HTML, CVS, Subversion
Computer Hardware:
Knowledge of PC hardware and basic knowledge of embedded systems
Available upon request.