Re: [Fed-Talk] New Email Requirement
Re: [Fed-Talk] New Email Requirement
- Subject: Re: [Fed-Talk] New Email Requirement
- From: "Timothy J. Miller" <email@hidden>
- Date: Wed, 16 Aug 2006 09:09:10 -0500
John Niles wrote:
Now a new requirement has been announced to make webmail CAC
compliant using a CAC reader and Tumbleweed software. Since Mac Mail
handles CAC requirements well, the question is will Tumbleweed accept
Mac Mail as a legitimate client. Does anyone have any experience with
this type of setup?
The Tumbleweed client is only for revocation status checking at your
end. This lets the client use online certificate status protocol (OCSP)
for certificate revocation checking (in your case, the webmail server's
certificate). Tumbleweed Desktop Validator only runs on Windows.
Now, OS X from Jaguar (I think) onwards supports OCSP, but it doesn't
work with the existing constraints of the DoD PKI. Most importantly, OS
X OCSP support relies on the OCSP service URL being in the certificate
itself (in the authorityInformationAccess extension) which the DoD PKI
didn't start using until *very* recently. It also doesn't obey the
system proxy settings (despite the fact that OCSP uses HTTP as its
transport). I'm also not certain if OS X OCSP supports the trust model
the DoD PKI is using for OCSP, but given the first two problems this
becomes 1) difficult for me to test, and 2) irrelevant anyway. :/
I'm hoping these are going to be (finally) addressed in Leopard, but
I've not gotten my hands on a seed yet. Hint hint, Shawn.
On the plus side, the DoD PKI doesn't revoke web server certs very
often. If you look, the CRLs for the CAs that issue device
certificates--CAs 7, 8, 13, and 14--are the smallest. Almost tiny, in
fact. So not being able to get OCSP status for your webmail server's
certificate isn't the end of the world.
That all being said, you *can* do CAC authentication to websites using
OS X and either Firefox, Mozilla or Safari (but not Camino and I don't
know about Opera). There's lots of good instructions on this posted to
this list you'll find in the archives on getting the CAC working right
with all these browsers. Insofar as the webmail server is concerned, so
long as you authenticate with the right certificate it can't tell the
difference between browsers and OSes. And if it does, you can fake it
by mucking with your browser's User-Agent string.
That's webmail in general. Now let's talk OWA.
OWA 2003 has additional support for signed and encrypted email. Of
course, MS built this using an Active X control that will do S/MIME
operations. Obviously this won't work on OS X (which is, in the final
analysis, a Good Thing(tm); there are too many Active X
vulnerabilities). So if you're using OWA, you *should* be able to
access it with CAC authentication but you *won't* be able to send signed
or encrypted email, or read encrypted email. You *may* be able to read
signed email, but it depends on how the client signed it; clear signed
email you should be able to read, but opaque signed email will appear as
an attachment. It's possible to decode this attachment using OpenSSL
command-line tools, but you might not want to get into that...
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden