I also notice an interesting psychological reaction when I read
your message -- sort of, "This must be a bona fide message,
because look at all the garbage at the front end," even though
I can't validate the certificate and have no basis for such an
opinion!
Bob,
This is a variation of Steve Kent's:
"What you see is what you believe" (c. 1993-1994 STK Quotables Inc.)
:-)
This is part of why he is so concerned with what DN's _look_ like and
how certificates and certificate hierarchies are presented to the user.
John
----------------------
John,
I very much agree.
Peter Churchyard sent the following decomposition of Ken's message:
From my PCPEM implementation....
Privacy Enhanced Information validated Ok!
------------------------------------------------------------------------------
From: "Kenneth R. van Wyk"
<krvw(_at_)assist(_dot_)ims(_dot_)disa(_dot_)mil>
To: pem-users(_at_)tis(_dot_)com
Subject: A user's perspective of PEM
------------------------------------------------------------------------------
Originator Certification Path:
01 /cn=Kenneth R. van Wyk/ou=Operations/ou=Countermeasures/...
01 /ou=Countermeasures/ou=Center for Information Systems Security/...
03 /o=Trusted Information Systems PCA/st=MD/c=US/
------------------------------------------------------------------------------
Warnings:
Initialisation file pem.rc not found
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/ou=Countermeasures/ou=Center for Information Systems Security/...
was found!
------------------------------------------------------------------------------
***** Start of Privacy Enhanced Message data *****
PEM Users:
I've been using PEM now for quite some time. In fact, our ASSIST
(Automated Systems Security Incident Support Team) uses PEM to
digitally sign all of its advisories that it sends out by e-mail.
I've been quite happy with PEM and its capabilities, and I think that
it's a great service to the Internet community. I do have one
specific comment to make, however, that I thought would be of interest
to other PEM users as well as developers.
In sending out our PEM-signed advisories, we frequently encounter
people that have never seen or heard of PEM before. Although our
advisories include a short blurb on what PEM is (example attached
below), the PEM header information (all of our advisories include our
full PEM certificates) often confuses the readers. We get a large
number of messages back that say things like, "The e-mail that you
sent me was garbled - please re-transmit", or, "What the heck is this
stuff?!"... :-) Of course, all of us PEM "insiders" know what that
information is, and can quickly process our PEM mail. Ah, I should
also point out that many of our readers don't have PEM, so we send our
advisories out MIC-CLEAR so that any recipient can still read the
text.
Pete.
Perhaps Peter didn't copy everything, but I find this information quite
confusing.
------------------------------------------------------------------------------
Originator Certification Path:
01 /cn=Kenneth R. van Wyk/ou=Operations/ou=Countermeasures/...
01 /ou=Countermeasures/ou=Center for Information Systems Security/...
03 /o=Trusted Information Systems PCA/st=MD/c=US/
------------------------------------------------------------------------------
Why is the ou=Countermeasures repeated twice? Does the ... mean that more
information was provided, but not displayed? What happened to DISA?
Why is there no level 2 certificate for the CA? Was this deleted after
confirming
that name subordination was correct?
If precisely this information was provided, I would conclude that Ken worked for
TIS, which I don't think is the case!
Warnings:
Initialisation file pem.rc not found
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/ou=Countermeasures/ou=Center for Information Systems Security/...
was found!
------------------------------------------------------------------------------
It isn't clear from this why the complaints about not having CRLs for TIS were
issued twice, nor why they were presented in the opposite order from the
originator certification path.
I don't mean to criticise Peter's implementation. I don't know whether it is
"finished" or only a prototype, and I clearly haven't read the user manual
or anything else that might clarify these points. I was only discussing them
from the
standpoint of "What you see is what you believe".
Finally, as discussed in my States and Localities message, to be consistent
with
the guidelines that we are trying to come up with, I would like to see
something like
C=US, ST=Commonwealth of Maryland, O="Trusted Information Systems, Inc.",
OU="Trusted Information Systems PCA"
used as the PCA issuer's, since "Trusted Information Systems PCA" is presumably
not
registered as a corporation with the Secretary of State (or whatever) of the
Commonwealth of Maryland.
Also, we still have to resolve the issue of name subordination for CAs for
residential persons, which we were discussing before I got sidetracked with
all of this state and locality naming issues.
Bob