[Muscle] FC6 and pkcs11_inspect
Peter Williams
home_pw at msn.com
Wed Nov 29 14:24:29 PST 2006
what is fascinating about the design of the library is not its novelty, but its audacity. You cannot use the crypto capability of the CAC if (a) the network is not there (b) the crypto control authority (via signed OCSP) doest cooperate or opts not to cooperate with you for reason R, in real time.
That is, you have realtime centralized control over the user's capability to remotely arm their cryptographic (or any other) capability on the CCI device.
The next step is to alter SSL, so that you (using that card) have to create a signed extensions blob during the cleartext parts of the SSL handshake, chaining to an approved CA for that signature. Then, regulate ISPs so they must drop any TCP packets looking like an SSL handshake - that setup the secure sessions - unless the signature is present and authorized. Of course, that authorization itself requires an OCSP ping, which stores at disa the audit trail that CAC card X was used in SSL session Y to port P address I, at a given time.
> Date: Wed, 29 Nov 2006 14:20:01 -0500> From: greg.hennessy at cox.net> To: muscle at lists.musclecard.com> Subject: Re: [Muscle] FC6 and pkcs11_inspect> > Todd Denniston wrote:> > third.x509 contains[1] your> > "X509v3 Key Usage: critical> > Digital Signature, Non Repudiation", i.e., "Email Signature > > Certificate".> > In this certificate there is a section "Authority Information Access" > > which contains a OCSP URI definition, pkcs11_vfy is faulting on what > > it finds there. The URI (shouldn't that be URL?) that is on mine is a > > disa.mil host, which eventually times out when I try to have firefox > > or lynx look at it, so vfy may just not be able to get a response, or > > it is improperly defined.> >> > I say _mine_ has a OCSP URI definition because it seems that the more > > of these CAC certs I look at (before importing into thunderbird), the > > more I notice that the "Authority Information Access" and "X509v3 CRL > > Distribution Points" seem to be inconsistently applied, like the > > operator creating the badge gets to choose/enter the information and > > some of them do it and others don't.> > My CAC does indeed have a URI that points to a disa.mil hosts, but I > also don't get a response when> I go to that link. I'll attempt to try Timothy Miller's sugguestion and > see how that fairs. I did note> that if I turned off the enable_oscp pkcs11_inspect did display the > information on the second cert> on my CAC. I'll have to research of that test is manditory or just > advisory. If manditory, I'll> have to figure out how to deal when my laptop isn't connected to a > network if I wanted to use the email mapper.> > And today I got my scr243 card working on linux! I feel so productive. > If only my job wasn't to be an astronomer> instead of an IT guy.> > > _______________________________________________> Muscle mailing list> Muscle at lists.musclecard.com> http://lists.drizzle.com/mailman/listinfo/muscle
_________________________________________________________________
Use Messenger to talk to your IM friends, even those on Yahoo!
http://ideas.live.com/programpage.aspx?versionId=7adb59de-a857-45ba-81cc-685ee3e858fe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drizzle.com/pipermail/muscle/attachments/20061129/949d6127/attachment-0001.html
More information about the Muscle
mailing list