[Muscle] FC6 and pkcs11_inspect

[Timothy J. Miller]

Greg Hennessy wrote:

> My CAC does indeed have a URI that points to a disa.mil hosts, but I 
> also don't get a response when
> I go to that link. I'll attempt to try Timothy Miller's sugguestion and 
> see how that fairs. I did note
> that if I turned off the enable_oscp pkcs11_inspect did display the 
> information on the second cert
> on my CAC. I'll have to research of that test is manditory or just 
> advisory. If manditory, I'll
> have to figure out how to deal when my laptop isn't connected to a 
> network if I wanted to use the email mapper.

You can download the CRLs (it's easy to script; mail me privately and I 
can send you the python script I use) and maintain them locally. 
Turning off revocation checking (which is all OCSP is doing) isn't the 
greatest idea but it's not a show-stopper either.  IMHO certs with 
smartcards without revocation status are still better than any password.

Personally I prefer the openssh mapper.  This mapper requires that the 
specific public keys allowed to access an account be added to that 
account's ~/.ssh/authorized_keys.  The advantage is that this kind of 
direct key trust eliminates any namespace attacks against the PKI, and 
is damn secure even in the absence of revocation checking.  The 
disadvantage is that every time you get new certs, you need to add them 
to .ssh/authorized_keys *and* delete the old keys from that file before 
you can log in.

-- Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2859 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.drizzle.com/pipermail/muscle/attachments/20061129/6f9b3e7f/smime.bin