[Muscle] FC6 and pkcs11_inspect
Greg Hennessy
greg.hennessy at cox.net
Wed Nov 29 11:20:01 PST 2006
Todd Denniston wrote:
> third.x509 contains[1] your
> "X509v3 Key Usage: critical
> Digital Signature, Non Repudiation", i.e., "Email Signature
> Certificate".
> In this certificate there is a section "Authority Information Access"
> which contains a OCSP URI definition, pkcs11_vfy is faulting on what
> it finds there. The URI (shouldn't that be URL?) that is on mine is a
> disa.mil host, which eventually times out when I try to have firefox
> or lynx look at it, so vfy may just not be able to get a response, or
> it is improperly defined.
>
> I say _mine_ has a OCSP URI definition because it seems that the more
> of these CAC certs I look at (before importing into thunderbird), the
> more I notice that the "Authority Information Access" and "X509v3 CRL
> Distribution Points" seem to be inconsistently applied, like the
> operator creating the badge gets to choose/enter the information and
> some of them do it and others don't.
My CAC does indeed have a URI that points to a disa.mil hosts, but I
also don't get a response when
I go to that link. I'll attempt to try Timothy Miller's sugguestion and
see how that fairs. I did note
that if I turned off the enable_oscp pkcs11_inspect did display the
information on the second cert
on my CAC. I'll have to research of that test is manditory or just
advisory. If manditory, I'll
have to figure out how to deal when my laptop isn't connected to a
network if I wanted to use the email mapper.
And today I got my scr243 card working on linux! I feel so productive.
If only my job wasn't to be an astronomer
instead of an IT guy.
More information about the Muscle
mailing list