On Jul 19, 2006, at 4:40 PM, Timothy J. Miller wrote:
The emails you're getting should not be signed with expired certs.
That failure is most likely because we now have a second, 2048-bit
root (DoD Root CA 2) and a set of issuers under it (CAs 11-14 are
up, 15-18 to follow soon--again, both ID and email), and we *are*
issuing end-entity certs from these CAs. The new DoD root is not
in the 10.4 install, but I expect them in Leopard though it would
be nice to have in 10.4.8 if it ever gets that far (Shawn, are you
listening?).
Is there some way I can download/install/update
my keychain with a current set of DoD PKI certificates
from an ordinary (USA) IP address ?
Issuing CAs and CRLs are available from the DISA GDS site:
Which should be public, IIRC. At least I can get to it
from .mitre.org.
The sticker is the DoD Root CA 2. Distributing roots is a tricky
proposition; you're supposed to get them from trusted channels. As
a result, you can't download the DoD Root CA 2 cert from that site
like you can the issuing CAs.
Somehow under OS X 10.4.7 I already have DoD Root CA 2 under my
"login" keychain. I gather it did not come via an Apple update given
it's location, therefore I think I obtained it because of another
certificate that depended on it and included it.
I also have DOD EMAIL CA-12 in my "login" keychain, but my
certificates are DOD Class 3 Email CA-10 so it's not from my CAC card.
However, I have located exactly one local person in my login keychain
who is DOD EMAIL CA-12 and everyone at my location receives email
from that person, so I suspect every OS X 10.4.x user at my location
also has DoD Root CA 2.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden
