Ken,
Since I don't have PEM up and running on my PC, I can't
parse your issuer certificate chain to see who issued your
certificate, and who your PCA is, but I would be curious to
know.
Perhaps even more important would be understand the process that
you had to go through within DISA to set up this hierarchy,
what legal review you had to pass, etc.
It seems to me that CERT-type processes are among the best
possible examples of a really good application for both privacy
(to avoid letting the bad guys know what counter-measures are
being contemplated), and for digital signatures (to protect against
the possibility of a spoof attack against the CERT itself.)
The benefit in this case certainly outweighs any reasonable
risk that might be perceived, but I would be very interested
to learn exactly what you had to do to sell the idea to your
management. What objections were raised, and how did you
overcome these hurdles?
I have seen a number of other PEM-signed messages, of course,
but yours is one of the first that appeared to be "for real" as
opposed to a developer's test message. (I'm assuming that your
PCA's policy doesn't say something like "This is a bogus PCA
and any certificates issued under it are null and void.")
I also notice an interesting psychological reaction when I read
your message -- sort of, "This must be a bona fide message,
because look at all the garbage at the front end," even though
I can't validate the certificate and have no basis for such an
opinion!
Bob