what is fascinating about the design of the library is not its novelty, but its
audacity. You cannot use the crypto capability of the CAC if (a) the network is
not there (b) the crypto control authority (via signed OCSP) doest cooperate or
opts not to cooperate with you for reason R, in real time.
That is, you have realtime centralized control over the user's capability to
remotely arm their cryptographic (or any other) capability on the CCI device.
The next step is to alter SSL, so that you (using that card) have to create a
signed extensions blob during the cleartext parts of the SSL handshake,
chaining to an approved CA for that signature. Then, regulate ISPs so they must
drop any TCP packets looking like an SSL handshake - that setup the secure
sessions - unless the signature is present and authorized. Of course, that
authorization itself requires an OCSP ping, which stores at disa the audit
trail that CAC card X was used in SSL session Y to port P address I, at a given
time.
> Date: Wed, 29 Nov 2006 14:20:01 -0500> From: [EMAIL PROTECTED]> To:
> [email protected]> Subject: Re: [Muscle] FC6 and pkcs11_inspect> >
> Todd Denniston wrote:> > third.x509 contains[1] your> > "X509v3 Key Usage:
> critical> > Digital Signature, Non Repudiation", i.e., "Email Signature > >
> Certificate".> > In this certificate there is a section "Authority
> Information Access" > > which contains a OCSP URI definition, pkcs11_vfy is
> faulting on what > > it finds there. The URI (shouldn't that be URL?) that is
> on mine is a > > disa.mil host, which eventually times out when I try to have
> firefox > > or lynx look at it, so vfy may just not be able to get a
> response, or > > it is improperly defined.> >> > I say _mine_ has a OCSP URI
> definition because it seems that the more > > of these CAC certs I look at
> (before importing into thunderbird), the > > more I notice that the
> "Authority Information Access" and "X509v3 CRL > > Distribution Points" seem
> to be inconsistently applied, like the > > operator creating the badge gets
> to choose/enter the information and > > some of them do it and others don't.>
> > My CAC does indeed have a URI that points to a disa.mil hosts, but I > also
> don't get a response when> I go to that link. I'll attempt to try Timothy
> Miller's sugguestion and > see how that fairs. I did note> that if I turned
> off the enable_oscp pkcs11_inspect did display the > information on the
> second cert> on my CAC. I'll have to research of that test is manditory or
> just > advisory. If manditory, I'll> have to figure out how to deal when my
> laptop isn't connected to a > network if I wanted to use the email mapper.> >
> And today I got my scr243 card working on linux! I feel so productive. > If
> only my job wasn't to be an astronomer> instead of an IT guy.> > >
> _______________________________________________> Muscle mailing list>
> [email protected]> http://lists.drizzle.com/mailman/listinfo/muscle
_________________________________________________________________
Use Messenger to talk to your IM friends, even those on Yahoo!
http://ideas.live.com/programpage.aspx?versionId=7adb59de-a857-45ba-81cc-685ee3e858fe
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
