Re: Digital Signature with internal CA

[Herndon Elliott <alabamatoy () gmail com>]

The DoD has a very thorough Smartcard solution.  For those on the outside,
lots of good info is here: http://militarycac.com/

One must have significant infrastructure shared between the parties who
will exchange signed/encrypted documents, such as Certificate Revocation
List (CRL pronounced "krill") and LDAP.

The whole point of shared trust is that the CA should be trusted by both
organizations in order to exchange signed/encrypted.  An internal CA is by
definition not a part of the deal, unless both orgs choose to trust it.
This means that in nearly all implementations, the CA would be a third
party chosen (and usually paid) to be trusted by both parties.  The CA
issues the certificates used to produce the keys, both public and private,
and maintains the CRL and LDAP services for certificate lookup.  The
internal CA would be for internal trust, like corporate apps and
interoffice commo, VPNs, authethentication etc.

DoD can easily exchange signed and encrypted documents (NSA Type3
encryption) internally.  There are also good companion solutions which work
well with the CAC within Adobe Acrobat, ApproveIT and others.  Many web
apps now have built-in signature capability.  Middleware is required to
support the interface between the smartcards and the apps - here is more
info:
http://www.axway.com/products-solutions/email-identity-security/identity-security/desktop-validator

HTH -  Apologies if this already has been discussed.

Herndon Elliott
Madison, Al
https://keyserver.pgp.com key ID: 24B60B6150130832
ΜΟΛΩΝ ΛΑΒΕ  "molon labe"

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com