Re: [Fed-Talk] CACs and DoD certs on Macs
Re: [Fed-Talk] CACs and DoD certs on Macs
- Subject: Re: [Fed-Talk] CACs and DoD certs on Macs
- From: Sean Baker <email@hidden>
- Date: Fri, 23 Nov 2012 15:40:20 -0500
Shawn,
I think we're pretty much on the same page here. Hopefully I've
simply not explained myself...
Sean: Not sure where this is coming from. the "DoD
Root CA 2" Root CA Certificate is shipped as part of the
System Roots Keychain and is inherently trusted without trust
modifications.
Yup, and it's one of the best things y'all have done for federal
sales -- much less hassle for our users, at least when the sys
admins know what they're doing!
Be extra careful here when you are referring to certificates
simply by their Common Name as the only form of unique
identifier. There is also a "DoD Root CA 2" Intermediate
CA Certificate issued by the "DoD Interoperability Root CA 1"
CA. That means that there are two certificates issued by the
DoD with the the exact same CN with one serving as a Root CA
Certificate and the other serving as an Intermediate CA
Certificate.
[....]
This is what some are referring to as "certificate
cancer".
Also agreed.
On Nov 13, 2012, at 1:58 AM, Sean
Baker <email@hidden>
wrote:
This is the
most common cause for the problem which we run
into here - sites not chaining their
certificates the right way and OSX inexplicably
trying to chain back to the Common Policy CA
(which it can't do) vs. the 'true' DOD Root CA.
Sean: Again, I am a bit confused how you have come to this
conclusion.
"...inexplicably
trying to chain back to the Common Policy CA (which it
can't do) vs. the 'true' DOD Root CA."
OS X is
building the Trust Path from the locally stored and
trusted CA Certificates. Why are you claiming that OS
cannot chain back to the Common Policy CA Certificate ?
When you say the 'true' "DoD Root CA" I am
assuming you are referring to the "DoD Root CA 2" Root
CA Certificate and not the "DoD Root CA 2" Intermediate
CA Certificate as noted above.
This goes back to your (redacted - sorry, wanted to keep this
shorter) example of the "DOD Interoperability CA 1", which doesn't
evaluate fully under OSX and the fact that while the MS Outlook
client relies on the user's accessible keychains to establish trust,
it does so with that sometimes... creative chaining which it seems
inclined to perform. Further, we have come across a couple of DOD
sites which chain themselves back to the Common Policy cert, thereby
making themselves inevaluable for vanilla OSX installs. Lastly,
we've also come across sporadic situations where a fully &
properly chained server is still not evaluated as trustworthy even
with the "real" (exp 2029) DoD Root CA 2 is trusted (and yes, the
server is returning the correct cert - we've ruled out MITM for at
least those of these which we've experienced directly as IT). It's
come and gone, seeming to pass with a browser restart (Chrome or
Safari), but doesn't seem to require any keychain interaction to set
it off [NOTE: this is an incredible minority reason, but as it
happened to me yesterday, thought I'd mention it].
In any case, all reasons have led us to recommend the explicit
trusting of the signed "DoD Root CA 2" (exp 2013) to simply 'cut
off' the evaluation chain and make things more reliable both for
browsing and email usage. From our perspective it introduces no
more risk than is already there, but gives our users a much better
experience on the whole.
Sorry for any confusion!
Sean
--
Ne Desit Virtus,
Sean R. Baker
1LT, MS
United States Army
Office #: (301) 319-0712
Email: email@hidden
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden