Todd Denniston wrote:
third.x509 contains[1] your
"X509v3 Key Usage: critical
Digital Signature, Non Repudiation", i.e., "Email Signature
Certificate".
In this certificate there is a section "Authority Information Access"
which contains a OCSP URI definition, pkcs11_vfy is faulting on what
it finds there. The URI (shouldn't that be URL?) that is on mine is a
disa.mil host, which eventually times out when I try to have firefox
or lynx look at it, so vfy may just not be able to get a response, or
it is improperly defined.
I say _mine_ has a OCSP URI definition because it seems that the more
of these CAC certs I look at (before importing into thunderbird), the
more I notice that the "Authority Information Access" and "X509v3 CRL
Distribution Points" seem to be inconsistently applied, like the
operator creating the badge gets to choose/enter the information and
some of them do it and others don't.
My CAC does indeed have a URI that points to a disa.mil hosts, but I
also don't get a response when
I go to that link. I'll attempt to try Timothy Miller's sugguestion and
see how that fairs. I did note
that if I turned off the enable_oscp pkcs11_inspect did display the
information on the second cert
on my CAC. I'll have to research of that test is manditory or just
advisory. If manditory, I'll
have to figure out how to deal when my laptop isn't connected to a
network if I wanted to use the email mapper.
And today I got my scr243 card working on linux! I feel so productive.
If only my job wasn't to be an astronomer
instead of an IT guy.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
