Re: [Fed-Talk] CAC on the Mac - AIA?
Re: [Fed-Talk] CAC on the Mac - AIA?
- Subject: Re: [Fed-Talk] CAC on the Mac - AIA?
- From: "Shawn A. Geddis" <email@hidden>
- Date: Mon, 11 Feb 2008 11:38:34 -0500
On Feb 11, 2008, at 11:24 AM, Timothy J Miller wrote:
On Feb 11, 2008, at 11:15 AM, Emmons, James M Mr CIV USA AMC wrote:
Rather than having the Mac use the URL noted on my CAC for AIA,
which, btw, is the DOD "top of the food chain" server, I'd like to
use
my local responders for both OCSP and CRL. Where do I go to
configure
those addresses in my Mac - is there a specific plist in one of the
Libraries that I'm looking over?
You can't in Tiger. I submitted a bug on this over a year ago.
When Leopard was released I was told this was addressed in Leopard
(along with all my outstanding bugs), but I've not been able to test
this yet.
If there's a UI anywhere it should be in Keychain Access preferences.
-- Tim
Jim,
We need to ensure that we clearly differentiate from two different
scenarios which are eluded to in your original email message above.
Scenario #1
----------------
Preference Settings for enabling CRL / OCSP:
Within the Keychain Access Utility
Preferences --> Certificates
This allows you to set the OCSP and or CRL processing to be:
* OFF
* Best Attempt
As well as the Priority:
* OCSP
* CRL
* Require Both
The setting of these preferences will only enforce how the
Certificates are to be validated as they are defined within the
Certificate.
Scenario #2
----------------
This built-in process does NOT allow you to configure a redirect from
say CRL Distribution Point defined in a Certificate to a OCSP
Validator (AIA) your organization would like to use instead. If the
Certificate defines the URIs for CRL -OR- OCSP -OR- Both, then you can
set the use of them, but you are not able to configure a redirect to a
server not defined in the signed certificate.
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden