Bob,
I would be quite interested to know what type of organizational
hudles, if any, you had to go through to sign a contract (if you had
to sign one) with TIS to be a CA, and even more importantly, how much
effort it took to get DISA management to sign off on the use of
digital signatures for CERT purposes.
Sorry to report that I haven't either "cracked that nut". I'm using
PEM for operational reasons, and have managed (with support of my
direct management and direct++ management) to get approval to use it.
I wouldn't say that DISA as a whole is using PEM or anything of the
sort.
On the other hand, our ASSIST Bulletins are getting wider and wider
distribution, and with each bulletin, we're getting more and more
queries about PEM (once we get over the preliminary, "what is this
stuff?!" questions :-). The people that I've spoken with on the phone
have clearly understood the need for digitally signed security
advisories, and many of my "customers" are now authenticating our
bulletins. We're clearly gaining momentum, as more and more people
become aware of PEM outside of the developer/tester community. And,
I've been urging other computer emergency response teams to similarly
sign their advisories.
Cheers,
Ken van Wyk