Comment on my current implementation for MSDOS...
On my PC the line below is shown at the top of each displayed page, so that
as you go down the document you still know that this document was ok. If the
messsage had problems then this title line would reflect that...
Privacy Enhanced Information validated Ok!
---------------------------------------------------------------------------
From: "Kenneth R. van Wyk"
<krvw(_at_)assist(_dot_)ims(_dot_)disa(_dot_)mil>
To: pem-users(_at_)tis(_dot_)com
Subject: A user's perspective of PEM
---------------------------------------------------------------------------
Originator Certification Path:
01 /cn=Kenneth R. van Wyk/ou=Operations/ou=Countermeasures/...
01 /ou=Countermeasures/ou=Center for Information Systems Security/...
03 /o=Trusted Information Systems PCA/st=MD/c=US/
---------------------------------------------------------------------------
Warnings:
Initialisation file pem.rc not found
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/ou=Countermeasures/ou=Center for Information Systems Security/...
was found!
---------------------------------------------------------------------------
***** Start of Privacy Enhanced Message data *****
PEM Users:
...
Perhaps Peter didn't copy everything, but I find this information quite
confusing.
Correct just some of the message. (Also it was cut and pasted from my code
running under Irix running on an SGI box) but the PC would look the same. (:->
Also I didn't have an init file around for my PEM so it defaulted to the above
dislay. I currently normally tell it to ignore no-crl problems.
---------------------------------------------------------------------------
Originator Certification Path:
01 /cn=Kenneth R. van Wyk/ou=Operations/ou=Countermeasures/...
01 /ou=Countermeasures/ou=Center for Information Systems Security/...
03 /o=Trusted Information Systems PCA/st=MD/c=US/
---------------------------------------------------------------------------
Currently I abbreviate the displayed certificate so that it fits on single
line. I also show all the certificates in the chain. The ... shows that the
certificate display has been truncated by the program. I am adding an option
to show all the certificate information.
Why is the ou=Countermeasures repeated twice? Does the ... mean that more
information was provided, but not displayed? What happened to DISA?
I build the display format in little to big order and keep adding components
if they fit the available space.
Why is there no level 2 certificate for the CA? Was this deleted after
confirming
that name subordination was correct?
It is probabally part of the certificate
/ou=Countermeasures/ou=Center for Information Systems Security/
but fell off the end...
If precisely this information was provided, I would conclude that Ken worked
for
TIS, which I don't think is the case!
Warnings:
Initialisation file pem.rc not found
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/o=Trusted Information Systems PCA/st=MD/c=US/
was found!
No CRL for issuer
/ou=Countermeasures/ou=Center for Information Systems Security/...
was found!
---------------------------------------------------------------------------
It isn't clear from this why the complaints about not having CRLs for TIS
were
issued twice, nor why they were presented in the opposite order from the
originator certification path.
The messages are issued as it is trying to validate the certificates. This
is done by building the chain and then working down from the root. The TISPCA
cert is self signed which is why the message came out twice... (buglet)
I don't mean to criticise Peter's implementation. I don't know whether it is
"finished" or only a prototype, and I clearly haven't read the user manual
or anything else that might clarify these points. I was only discussing them
from the
standpoint of "What you see is what you believe".
If we can get it exported from the UK, I would be happy to let you read the
manual (:->
Pete.