Re: [Fed-Talk] CAC on the Mac - AIA?
Re: [Fed-Talk] CAC on the Mac - AIA?
- Subject: Re: [Fed-Talk] CAC on the Mac - AIA?
- From: Paul Nelson <email@hidden>
- Date: Mon, 11 Feb 2008 10:39:26 -0600
- Thread-topic: [Fed-Talk] CAC on the Mac - AIA?
Cross posting to CDSA -
> From: Timothy J Miller <email@hidden>
> ...
> On Feb 11, 2008, at 11:15 AM, Emmons, James M Mr CIV USA AMC wrote:
>
>> Rather than having the Mac use the URL noted on my CAC for AIA,
>> which, btw, is the DOD "top of the food chain" server, I'd like to use
>> my local responders for both OCSP and CRL. Where do I go to configure
>> those addresses in my Mac - is there a specific plist in one of the
>> Libraries that I'm looking over?
>
> You can't in Tiger. I submitted a bug on this over a year ago. When
> Leopard was released I was told this was addressed in Leopard (along
> with all my outstanding bugs), but I've not been able to test this yet.
>
> If there's a UI anywhere it should be in Keychain Access preferences.
>
> -- Tim
This is what would be required from the UI:
1) You must be able to tell the Mac what certificate to use to establish
trust with your OCSP responder.
2) You must be able to tell the Mac the URL of the OCSP responder.
Neither of these is in the UI AFAIK.
It was very hard for me to explain to the Apple folks why this is a
requirement for the US Military. I really don't know if they "get" it yet.
It certainly is not a priority for them, as it would not be difficult for
them to implement. The underlying CSSM architecture already supports using
a specific OCSP responder. They just need to add the UI and update the
Apple trust policy to use it.
Paul Nelson
Thursby Software Systems, Inc.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden