[Leaplist] What do you all use for digitally signing PDF files?

[Brad Ackerman]

On Sep 17, 2008, at 10:30, John Simpson wrote:

> i know the DoD has their own root CA, which long ago signed a set of  
> root keys for each service. each of these services can further sign  
> other keys, acting as a "delegated" CA. i would imagine they have a  
> procedure to sign keys for any contractors from whom they will be  
> receiving files.

There's a separate PKI system for contractor certificates -- http://iase.disa.mil/pki/eca/

> i also know that the military ID cards, as well as the ID cards  
> given to outside contractors (i.e. "common access cards") have a  
> "smart chip" which contains a key pair for the card itself,  
> generated by the card while it was being manufactured. the chip has  
> the ability to do encryption and decryption operations by itself,  
> which means there is no legitimate need to ever know the contents of  
> the secret key stored on the chip.

There's one -- key escrow. There'd be problems if users who lost their  
CAC card or managed to permanently lock it were then unable to read  
their encrypted email/documents. The solution is to generate the key  
externally and load it onto the smart card.

For extra credit, you then get to deal with a) how your border mail  
gateways can virus scan email they can't open; and b) Federal Records  
Act compliance. Ia! Ia! Cthulhu fhtagn!

-- 
Brad Ackerman
brad at facefault.org


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.