Peter Williams wrote:
what is fascinating about the design of the library is not its novelty,
but its audacity. You cannot use the crypto capability of the CAC if (a)
the network is not there (b) the crypto control authority (via signed
OCSP) doest cooperate or opts not to cooperate with you f
which stores at disa the audit
trail that CAC card X was used in SSL session Y to port P address I, at a given
time.
> Date: Wed, 29 Nov 2006 14:20:01 -0500> From: [EMAIL PROTECTED]> To:
> muscle@lists.musclecard.com> Subject: Re: [Muscle] FC6 and pkcs11_inspect> &g
Greg Hennessy wrote:
My CAC does indeed have a URI that points to a disa.mil hosts, but I
also don't get a response when
I go to that link. I'll attempt to try Timothy Miller's sugguestion and
see how that fairs. I did note
that if I turned off the enable_oscp pkcs11_inspect did display the
in
Todd Denniston wrote:
third.x509 contains[1] your
"X509v3 Key Usage: critical
Digital Signature, Non Repudiation", i.e., "Email Signature
Certificate".
In this certificate there is a section "Authority Information Access"
which contains a OCSP URI definition, pkcs11_vfy is faulting on what
it
I'm sure your right.
Brian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Timothy J.
Miller
Sent: Wednesday, November 29, 2006 12:47
To: MUSCLE
Subject: Re: [Muscle] FC6 and pkcs11_inspect
Allshouse, Brian M CTR NSWCDD XDT wrote:
> The bug h
Allshouse, Brian M CTR NSWCDD XDT wrote:
The bug has since been fixed and released on Mozilla's site
but I'm sure it's not in FC6.
Bob Relyea told me should be in the RHEL5 beta, but I don't have access
to that at the moment. It'll be in an FC6 update, I should think.
-- Tim
smime.p7s
De
Todd Denniston wrote:
In this certificate there is a section "Authority Information Access"
which contains a OCSP URI definition, pkcs11_vfy is faulting on what it
finds there. The URI (shouldn't that be URL?) that is on mine is a
disa.mil host, which eventually times out when I try to have f
Greg Hennessy wrote:
One certificate seems fine, but can anyone shed light on what Invalid
OCSP signing cert means I did wrong?
You're missing the DoD OCSP signing certificate in your cert store,
that's all. Email me privately from your USN account and I'll send it
to you from my AF account
ng a DoD CAC on FC6.
Sincerely,
Brian M. Allshouse
Network Operations - XDT
Bowhead Information Technology Services
(540) 653-6692
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd Denniston
Sent: Wednesday, November 29, 2006 9:35
T
Greg Hennessy wrote:
David T. MacKenzie wrote:
Mr. Hennessy, here's a jump-start on certutil:
To list CAs:
certutil -L -d /etc/pki/nssdb/
To import one:
certutil -A -n "Smart Card CA" -t "CT,C," -d /etc/pki/nssdb -i
certfile.crt
Thanks. That helps a significant amount, but after importin
David T. MacKenzie wrote:
Mr. Hennessy, here's a jump-start on certutil:
To list CAs:
certutil -L -d /etc/pki/nssdb/
To import one:
certutil -A -n "Smart Card CA" -t "CT,C," -d /etc/pki/nssdb -i certfile.crt
Thanks. That helps a significant amount, but after importing the certs I
think I
All,
I'd like to reply to this post in both of these places in case anyone
has any ideas -- I've begun working with my CAC and the pkcs11/coolkey
implementation that comes out of the box with Fedora Core 6.
Unfortunately, I'm getting an error which is preventing me even from
getting to the point
> >DEBUG:cert_vfy.c:41: Couldn't verify Cert: Peer's Certificate issuer is
> >not recognized.
> ^
>
> As I expected.
> You need to get pam_pkcs11 to recognize your (The DoD) CAs, i.e.,
> `certutil` or `make_hash_link.sh`
Greg wrote:
IIRC from another mailing list I am on, the Fedora version may use
`certutil` instead of pam_pkcs11's `make_hash_link.sh` to create links to
each of the CAs, and I am not sure if they keep them (the CAs) in the same
place as the normal pam_pkcs11.
I'll try to find certutil when I
> FC6's pam_pkcs11 is NSS-based, not OpenSSL-based, which is why there's a
> difference. RedHat wants to use NSS as a system-wide crypto service, a
> la Microsoft CAPI.
Is there anywhere that might explain what this means? I'm just a dumb
astronomer trying to keep upper level management from ta
> IIRC from another mailing list I am on, the Fedora version may use
> `certutil` instead of pam_pkcs11's `make_hash_link.sh` to create links to
> each of the CAs, and I am not sure if they keep them (the CAs) in the same
> place as the normal pam_pkcs11.
I'll try to find certutil when I get ho
Todd Denniston wrote:
IIRC from another mailing list I am on, the Fedora version may use
`certutil` instead of pam_pkcs11's `make_hash_link.sh` to create links
to each of the CAs, and I am not sure if they keep them (the CAs) in the
same place as the normal pam_pkcs11.
FC6's pam_pkcs11 is NS
Ludovic Rousseau wrote:
On 28/11/06, Greg Hennessy <[EMAIL PROTECTED]> wrote:
I have several linux boxes running FC5 at work, and I have installed
pam_pkcs11 via tarball and have a working system. I just recently
did a fresh install of FC6 to my home computer, and I noticed that the
pam_pkcs pac
On 28/11/06, Greg Hennessy <[EMAIL PROTECTED]> wrote:
I have several linux boxes running FC5 at work, and I have installed
pam_pkcs11 via tarball and have a working system. I just recently
did a fresh install of FC6 to my home computer, and I noticed that the
pam_pkcs package was installed by def
I have several linux boxes running FC5 at work, and I have installed
pam_pkcs11 via tarball and have a working system. I just recently
did a fresh install of FC6 to my home computer, and I noticed that the
pam_pkcs package was installed by default. I've verified that I can use
my CAC to do enc
20 matches
Mail list logo
