David Emery,
I totally agree with your position. We committed several years ago to add email signature and encryption capabilities for the project that I support. A few months ago we expanded to the company. We have about 50/50 Windows XP and OS X on the desktops.
Most of the time our users can sign and encrypt just fine. But when anything goes wrong, the error messages are meaningless to the users and next to meaningless to me even after supporting this stuff for a couple of years. This is just managing our own certs and communicating amongst ourselves. When we throw in the certs from DoE and DoD it gets even worse. They have these "split" certs one for signing, another for encryption. OS X Mail app recognizes when a signing cert is present, but aborts when the user tries to encrypt. That is really tough to debug and the error message that gets generated is pretty worthless.
In XP you can specify which cert you wish to use. In OS X you can't without getting into terminal mode or messing around exporting and importing to get the order "right" for OS X.
There is a LONG way to go before certs are usable on a level that doesn't take an extraordinary level of support. We use OS X because of ease of support.... the cert situation takes more support than anything else we deal with on OS X. I wish Apple would put some energy into getting cert support up to par with the rest of OS X.
It will be nice when certs work well and have good, user friendly error messages and a set of GUI interfaces in Keychain Access or a control panel that lets you manage certs well beyond the extremely cryptic (pun intended) implementation.
It will also be nice when certs are ubiquitous so that we can lock down receiving email that isn't signed by a white listed sender. That would eliminate most SPAM.
Paul
-- Paul Derby Chief Enterprise Architect supporting BioWatch Systems Program Office as IT Lead Department of Homeland Security 703-647-2745
Send Fed-talk mailing list submissions to email@hidden
To subscribe or unsubscribe via the World Wide Web, visit http://lists.apple.com/mailman/listinfo/fed-talk or, via email, send a message with subject or body 'help' to email@hidden
You can reach the person managing the list at email@hidden
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fed-talk digest..." Today's Topics:
1. Re: Root Cert on MacBookPro Question (David Emery)
From: David Emery <email@hidden>
Date: December 28, 2009 4:25:13 PM EST
To: "Timothy J. Miller" <email@hidden>
Cc: "email@hidden" <email@hidden>
Subject: Re: [Fed-Talk] Root Cert on MacBookPro Question
I've had problems getting PKI to work on each environment I've tried: Thunderbird in MacOS Mail.app in MacOS Internet Explorer in WIndows XP The absence of any other environment is not an indication of success, rather it's an indication I haven't messed with it.
So this is well beyond just a Mail.app problem. Some of these are relatively simple problems, such as provisioning root certs. But a huge part of the problems -everywhere- have been the total absence of meaningful diagnostic information that I can use to figure out what the problem is. So much of the PKI infrastructure assumes an expertise in PKI principles that I, as an experienced (32 years + college) don't have.
And I think this is a much bigger problem than just DoD configurations. The inaccessibility of PKI for the average person (either end-user or infrastructure provider) means that PKI solutions which have been advocated for a more secure web (with the notable exception of https websites), have failed to meet their promise for a more secure internet. I think this is systemic with the way the security industry has approached PKI, with way too much "perfection" and business constraints in the way of the more general good. (Disclosure/Disclaimer, my wife now works for Verisign, but I have no association with them.)
From a Federal Government perspective, I think the IA Czar should take a real deep serious look at why we can't secure the Internet, and maybe the approach is to move some aspects of PKI from the private sector to government, e.g. certification issuance. But that's clearly getting into policy decisions that I admit are (a) probably off-topic; (b) I started in the first place. Mea culpa!
dave
On Dec 28, 2009, at 1:49 PM, Timothy J. Miller wrote:
David Emery wrote:
So, Tim, would you carry a PKI-enabled rifle into combat?
Yes. I've been involved in multiple systems that use PKI and operate at the tactical edge. It can be done, is done, and will be done more as time goes on.
The fact that Apple gets it wrong in Mail.app has absolutely no bearing on the suitability of the underlying technology.
-- Tim
|