• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] DoD PKI update; SLVR L2 iSync support
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] DoD PKI update; SLVR L2 iSync support

  • Subject: Re: [Fed-Talk] DoD PKI update; SLVR L2 iSync support
  • From: "Timothy J. Miller" <email@hidden>
  • Date: Wed, 19 Jul 2006 15:40:09 -0500
Ran Atkinson wrote:

    My personal Powerbook running MacOS X (latest minor
revision) has several DoD PKI certificates (originally
supplied by Apple as part of MacOS X) in the Keychain that
have now expired.  Lately, some signed emails from DoD folks
are showing up as "authentication failed" in Mail.app.
I suspect these two issues are related.

Not quite. The issuing CAs don't expire until after all the end-entity certs are expired. The only expired (or expiring) DoD CAs are 3 and 4 (email and ID, 4 CAs total).

The emails you're getting should not be signed with expired certs. That failure is most likely because we now have a second, 2048-bit root (DoD Root CA 2) and a set of issuers under it (CAs 11-14 are up, 15-18 to follow soon--again, both ID and email), and we *are* issuing end-entity certs from these CAs. The new DoD root is not in the 10.4 install, but I expect them in Leopard though it would be nice to have in 10.4.8 if it ever gets that far (Shawn, are you listening?).

    Is there some way I can download/install/update
my keychain with a current set of DoD PKI certificates
from an ordinary (USA) IP address ?


Issuing CAs and CRLs are available from the DISA GDS site:

https://crl.gds.disa.mil

Which should be public, IIRC.  At least I can get to it from .mitre.org.

The sticker is the DoD Root CA 2. Distributing roots is a tricky proposition; you're supposed to get them from trusted channels. As a result, you can't download the DoD Root CA 2 cert from that site like you can the issuing CAs.

You can, however, view it. Including the PEM-encoded version. Which is a valid cert format, I should add...

Don't ask me the point, I don't make it up, I just report it.  :)

-- Tim

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] DoD PKI update
      • From: Michael Kluskens <email@hidden>
References: 
 >[Fed-Talk] DoD PKI update; SLVR L2 iSync support (From: Ran Atkinson <email@hidden>)

  • Prev by Date: [Fed-Talk] DoD PKI update; SLVR L2 iSync support
  • Next by Date: Re: [Fed-Talk] DoD PKI update
  • Previous by thread: [Fed-Talk] DoD PKI update; SLVR L2 iSync support
  • Next by thread: Re: [Fed-Talk] DoD PKI update
  • Index(es):
    • Date
    • Thread