Re: [Fed-Talk] DoD PKI update; SLVR L2 iSync support
Re: [Fed-Talk] DoD PKI update; SLVR L2 iSync support
- Subject: Re: [Fed-Talk] DoD PKI update; SLVR L2 iSync support
- From: "Timothy J. Miller" <email@hidden>
- Date: Wed, 19 Jul 2006 15:40:09 -0500
Ran Atkinson wrote:
My personal Powerbook running MacOS X (latest minor
revision) has several DoD PKI certificates (originally
supplied by Apple as part of MacOS X) in the Keychain that
have now expired. Lately, some signed emails from DoD folks
are showing up as "authentication failed" in Mail.app.
I suspect these two issues are related.
Not quite. The issuing CAs don't expire until after all the end-entity
certs are expired. The only expired (or expiring) DoD CAs are 3 and 4
(email and ID, 4 CAs total).
The emails you're getting should not be signed with expired certs. That
failure is most likely because we now have a second, 2048-bit root (DoD
Root CA 2) and a set of issuers under it (CAs 11-14 are up, 15-18 to
follow soon--again, both ID and email), and we *are* issuing end-entity
certs from these CAs. The new DoD root is not in the 10.4 install, but
I expect them in Leopard though it would be nice to have in 10.4.8 if it
ever gets that far (Shawn, are you listening?).
Is there some way I can download/install/update
my keychain with a current set of DoD PKI certificates
from an ordinary (USA) IP address ?
Issuing CAs and CRLs are available from the DISA GDS site:
https://crl.gds.disa.mil
Which should be public, IIRC. At least I can get to it from .mitre.org.
The sticker is the DoD Root CA 2. Distributing roots is a tricky
proposition; you're supposed to get them from trusted channels. As a
result, you can't download the DoD Root CA 2 cert from that site like
you can the issuing CAs.
You can, however, view it. Including the PEM-encoded version. Which is
a valid cert format, I should add...
Don't ask me the point, I don't make it up, I just report it. :)
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden