Re: [Fed-Talk] CACs and DoD certs on Macs
Re: [Fed-Talk] CACs and DoD certs on Macs
- Subject: Re: [Fed-Talk] CACs and DoD certs on Macs
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 30 Nov 2012 13:49:47 +0000
- Thread-topic: [Fed-Talk] CACs and DoD certs on Macs
OK, I had to go digging, but here's the skinny:
0x2e was superseded prior to going into production, but was published. 0x4c was produced by signing over the *same key* (the reason was to fix a cert extension error). Since path discovery uses Authority Key Identifier---which is a hash of the key---if you have *both* 0x2e and 0x4c in the store the algorithm may choose the older cert, which was revoked.
Upshot: It's not really a chaining bug, though a case could be made that in path discovery, given two keys with the same AuthKeyID, always choose the newer. :)
Easy fix: Delete 0x2c, install 0x4c (if you don't already have it).
-- T
>-----Original Message-----
>From: Miller, Timothy J.
>Sent: Thursday, November 29, 2012 9:06 AM
>To: David Mueller; Fed-talk
>Subject: Re: [Fed-Talk] CACs and DoD certs on Macs
>
>On 11/28/12 10:38 AM, "David Mueller" <email@hidden> wrote:
>
>>0x2e (Decimal 46) is the serial number of the revoked version of the DoD
>>CA-21 cert.
>
>CA-21's serial is 0x4C. 0x2E never made it into production, so you
>shouldn't have any cert that chains through it. If you have a chain with
>0x2E in it, send me the certs involved. Thanks.
>
>-- T
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden