Skip to content

Monthly Archives: June 2009

DoD PKI and the Beat of a Different Drummer, Part 2

After several years of dealing with huge unwieldy CRL files DoD finally stands up a OCSP server, and after months pass it is more or less usable for awhile. Then I noticed the OCSP responses were being signed by an expired certificate (for unknown reasons DoD decided to use self-signed responder certificates). Here’s a typical […]

DoD PKI and the Beat of a Different Drummer, Part 1

So, several years after first implementing the use of client and server x.509 certificates, DoD finally stands up an OCSP service. Good thing, because the relevant CRL files total over 200 megabytes, with some of them having a lifetime as brief as 18 hours. But, they had to do it a little differently. For starters […]

NSS Trickery

Like other comparable products Firefox and Thunderbird ship with a wide assortment of pre-installed CA certificates. Not only the usual ones from Verisign, Equifax, and the like but also ones from some obscure entities like “Staat der Nederlanden”, “”Camerfirma Chambers of Commerce”, “TURKTRUST Certificate Services”. The DoD PKI policy mandates that CA trusted keystores should […]

Opinions expressed herein are not necessarily those of Veridical Systems, OpenSSL, DoD, the author's evil twin Skippy, or anyone else possibly including the author himself.