Rich Trouton provided the answer over on the ARD list: On Mar 24, 2011, at 3:06 PM, Trouton, Rich wrote:
> You'll need to run these commands on a per-user basis, as Keychain is looking > to the ~/Library/Preferences/com.apple.security.revocation.plist file for > these settings: > > ----- > > defaults write com.apple.security.revocation CRLStyle -string BestAttempt > > defaults write com.apple.security.revocation OCSPStyle -string BestAttempt > > ------ > > If you're also pushing managed preferences, you should be able to set these > in your MCX settings. > > Thanks, > Rich On Mar 24, 2011, at 2:36 PM, Bill Morgan wrote: > Our Information Security Office has given the following instructions to > secure Safari agains the recently announced certificate hijacking: > > Safari: OCSP is not enabled by default. To do enable it, open Keychain Access > from Applications > Utilities. Choose Keychain Access > Preferences, then > click on the Certificates tab. Set the first two options, for OCSP and CRL, > to Best Attempt, and leave priority set to the default setting. This will > tell Safari, or any other program that uses the built-in certificates on Mac > OS X, to check these servers before accepting any SSL certificate on a web > site. > > Does anyone know a quick way to alter these settings from the command line, > so we can secure a few hundred 10.5 and 10.6 machines? > > TIA, > > Bill Morgan > College of Fine Arts > UT Austin > > _______________________________________________ > MacOSX-admin mailing list > [email protected] > http://www.omnigroup.com/mailman/listinfo/macosx-admin _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
