This is partly correct. DoD does not allow you to export private keys, they are stored and locked onto the CAC card. You can not authenticate someone, unless your server or meta-directory is granted access to do so. Currently I know of nothing but AKO that is allowed to do such. If you are inside AKO you can authenticate. Otherwise you are merely authorizing or validating the user credentials. The credentials for authorizing has nothing to do with the PKI private/public key pair. Instead one is only presenting the CN of the card and verifying via CRL's or OCSP responders that the card is not revoked.
So long as one can not remove or export the private key from a CAC and it used to authenticate, it will remain secure. Given it remains in the possession of the intended individual. Otherwise, I see how your statement could potentially be true. Byron Johnson Sr. Network Engineer Contractor for Kottmann, Inc. Joint Technical Data Integration (JTDI) [EMAIL PROTECTED] 256-313-0218 DSN 897-0218 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy J. Miller Sent: Tuesday, April 24, 2007 11:30 AM To: MUSCLE Cc: [EMAIL PROTECTED] Subject: Re: [Muscle] Re: Firefox, DoD CAC, and Omnikey Cardman 4000 Roy Keene (Contractor) wrote: > CAC in a Personal (i.e., potentially not managed by someone who meets > DISA requirements for a system administrator, and on a network that > follows DISA guidelines to mitigate risk) machine mostly defeats the > purpose of it. That's a hell of a claim. Care to back it up? -- Tim _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
