Rob, the announcement of the new DOD policy brings several interesting
questions to mind:
Do I understand correctly that Fortezza uses a straight DSS plus SHA for
signature purposes? If so, presumably a software-only version could be built
that would interoperate with Fortezza cards, both signing and verifying
signatures (but not encrypting)?
Supposing that the PEM concept were extended to include these algorithms (easy
enough), what would be PCA policy implications be?
Has DOD issued what would be in effect a PCA policy, stating what the
identification requirements will be for anyone who is issued a Fortezza card?
Moreover, has DOD stated what kind of a PCA policy they would accept in order
to cross-certify a non-DOD PCA for commercial interoperability, i.e., EDI?
What kind of assumptions and checking of the root-key of the top of the
hierarchy are built into Fortezza cards? Could interoperation of two PCAs (one
commercial/civilian and one DOD) be supported technically?
I'm currently wrestling with trying to decide upon an appropriate schema for
both X.509 v1 (and later v3) certificate DNs, and for X.500 directory DNs that
can be supported by the NADF, ultimately including the Navy and USPS efforts.
Presumably DOD has decided upon at least a core set of attributes which must be
supported by the Local Authority Workstation for inclusion in a Fortezza
certificate -- have they also defined a maximum list of optional attributes? I
am particularly interested in those attributes that might be useful for
residential persons as opposed to organizational persons, and for "cyberpunks"
who would like to use their (SMTP, please) e-mail address as their DN, without
reference to either a residential or organizational address.
Any help would be appreciated.
Bob