Re: [Fed-Talk] Re: Root Cert on MacBookPro Question
Re: [Fed-Talk] Re: Root Cert on MacBookPro Question
- Subject: Re: [Fed-Talk] Re: Root Cert on MacBookPro Question
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 4 Jan 2010 09:37:44 -0600
Paul Derby wrote:
Our challenges are with DoE, not DoD. The problem isn't email
name/case matching but the separate signing and encryption certs.
Most of the DoE people we deal with don't realize they have two certs
and that THEY have to send along the encryption public key if they
expect an encrypted message back.
They don't have to do anything, the client should be doing it for them.
In Outlook 2k7, go to Trust Center, E-mail Security, and inspect the
S/MIME settings dialog. At the bottom is a selection, "Send these
certificates with signed messages." This is checked by default, IIRC,
and is settable via GPO.
Totally confusing to our users on
both ends. Whomever the IA/ISSO/security wonk is that decided to
enforce split certificates has caused huge amounts of confusion
amongst the users we deal with and due to this confusion people tend
to avoid encrypting because they can't cope with the challenge of
certificate usage on either OS X or Windows XP.
This 'split' is required by all gov't PKI implementations by both NIST
and NSA. There are *very very* good reasons why PKIs are structured
like this, not the least of which is that the encryption *private* key
is escrowed by the issuer so that the issuing organization can decrypt
your data should you get hit by a bus, but *under no circumstances*
should a signature key of any kind be escrowed.
Glad the DoD is doing this. The Federal Government needs to become
ONE ENTERPRISE instead of Federal stovepipes. We deal primarily with
DoE (National Labs) and DHS. The DHS PIV cards are DHS's way to do
what the DoD does with their CAC card. Why the Federal Government
needs to call the same thing two different names is part of the
confusion.
CAC is PIV. PIV is the Fed smartcard standard; CAC predates it, and has
aligned with it over the last three years. My current CAC is a fully
functioning PIV and will work in any Fed PIV-compliant system.
DHS is trying to roll out their PIV card and the
underlying support for encryption and digital signatures with
Entrust, but the deployment isn't well thought out at all. Just this
morning I had to disable Entrust on a Windows XP machine because DHS
pushed it out before providing the user with a smart card reader or a
PIV card to put in the reader. So when others that have PIV cards
and readers send her signed email, Outlook brings up the Entrust
interface and the user can't do anything but get frustrated and ask
for help.
Don't get me started on Entrust.
It may be rare in the Mitre environment, but it is common in our
environment to have two external issued certs. In the last 2 months
we've had to reissue certs to everyone on our project because the CA
that issued the certs (Thawte) decided to get out of the cert
business and declared all our certs invalid. So for the better part
of the upcoming year we have people with 2 certs from twodifferent
CAs.
When the first issuer pulled out, all the certs it issued should have
been revoked. So the user *should* only have *one* valid cert for his
email address.
WIth OS X it is too much for the user to figure out how to make
the second issues, replacement cert the default cert. The
implementation in OS X of defaulting to the first installed valid
cert really causes user confusion when a second cert is installed and
should be used, but the first cert needs to stay on the machine so
email can still be decrypted.
You can delete the certificate and retain the private key. Only the
private key is needed to read old email.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden