Re: [Fed-Talk] CACs with updated certs
Re: [Fed-Talk] CACs with updated certs
- Subject: Re: [Fed-Talk] CACs with updated certs
- From: "Adams, Walter CTR CNIC HQ, N61" <email@hidden>
- Date: Thu, 30 Jul 2009 18:30:37 -0400
- Thread-topic: [Fed-Talk] CACs with updated certs
Tim,
Understood. There needs to be a way to force a refresh - frankly though
most of the time our systems sit silently idling waiting for us to figure
out what we want them to do - somewhere in there is a time segment or two
that the OS could check things out.
This discussion just gave me a flash back to Silent Running and the little
drones...
Walter
On 7/30/09 5:53 PM, "Timothy J. Miller" <email@hidden> wrote:
> Walter Adams wrote:
>
>> Honestly there should be an easier way to get the OS to recognize the new
>> certs on the CAC and to allow you to delete the old ones. There maybe some
>> cryptographic reason to assume that the file system knows best, but frankly
>> I think the CAC card should be the canonical source of what it contains, not
>> the file system.
>
> No security reason, just speed. It takes a noticeable amount of time to
> read the certs off the card, which delays having the token ready in your
> keychain by a fair bit.
>
> I agree that securityd should be capable of noting when the cache is out
> of date and fixing it, though.
>
> -- Tim
>
Walter Adams
Program Manager & Chief Architect PSNet
email@hidden
703-518-5527 (Office)
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden