RE: And DCO too {was- [Fed-Talk] AKO/DKO and Safari 4 (UNCLASSIFIED)
RE: And DCO too {was- [Fed-Talk] AKO/DKO and Safari 4 (UNCLASSIFIED)
- Subject: RE: And DCO too {was- [Fed-Talk] AKO/DKO and Safari 4 (UNCLASSIFIED)
- From: "Beck, Keith M CDR ACNO NGEN, OPNAV N099" <email@hidden>
- Date: Mon, 15 Jun 2009 10:54:11 -0400
- Thread-topic: And DCO too {was- [Fed-Talk] AKO/DKO and Safari 4 (UNCLASSIFIED)
DODI 8552.01 (23 Oct 2006) requires the user agent to check certificate
validity. After a certificate is expired, it is (rightly) no longer
included in CRLs if revoked. I think DCO also meets their criteria for
using an ECA code signing cert.
http://www.dtic.mil/whs/directives/corres/pdf/855201p.pdf
Implementation Guide for DoD Instruction 8552.01, Use of Mobile Code in
DoD Information Systems. Volume 3 - Appendix B: Configuration Guide For
Mobile Code-Enabled Software (27 Feb 2009):
https://iase.disa.mil/mcp/appendix-b-configuration-guide-27-feb09.doc
>From pp 73-74 (I'm not listing all - just the policies DCO is working to
address):
It is recommended that the Java Plugin should be configured as follows:
* Prevent users from granting permissions to applets that were signed
with a code signing certificate issued by untrusted Certificate
Authorities.
* Enable warnings for suspicious certificates (e.g., certificate that
does not match the originating host's name).
* Enable checking for certificate revocation and online certificate
validation.
I agree that few seats are currently configured to comply with policy,
but it isn't hard to get an ECA certificate and sign mobile code every
few years to avoid re-enforcing bad habits.
Keith
-----Original Message-----
From: Timothy J. Miller [mailto:email@hidden]
Sent: Monday, June 15, 2009 8:40
To: Beck, Keith M CDR ACNO NGEN, OPNAV N099
Cc: email@hidden; Fed Talk
Subject: Re: And DCO too {was- [Fed-Talk] AKO/DKO and Safari 4
(UNCLASSIFIED)
Beck, Keith M CDR ACNO NGEN, OPNAV N099 wrote:
> -The Java applet was signed with a code signing certificate that
isn't
> in your (or anyone's chain of trust).
> -The Java applet has an expired signature (20 Oct 2008).
These don't really matter. Code signing is a special case with its own
trust semantics; it works by direct trust, not by chaining or validity
periods. Otherwise you'd have an instant DoS any time a publisher cert
expired, which would lead to lawsuits. :)
> Even if you signed into the DCO portal with your CAC, currently DCO
asks
> for your user name and password for an individual meeting anyway.
That's a cookie sharing problem, I believe.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden