PKI Question (IECA)

[Tom Pennington]

Has anybody had to deal with the not so new requirement by DoD to implement
PKI for all contractors who need to exchange email between themselves and
DoD? The requirement is called IECA.

I'm just trying to find out if anyone has had to do this, what's involved,
besides paying the $100-$150 extortion fee to simply verify who I say I am.

Thanks,
Tom

 

[neo [mvp outlook]]

I haven't had to deal with this, but a Google search turns up the following.

http://www.digsigtrust.com/federal/dod.html

 

[Tom Pennington]

Yeah, I found them too. There are supposedly 3 approved vendors but today I
started looking in the Windows 2003 Certificate Authority server and it's
exactly the same thing one of the approved vendors is using. Besides, these
vendors charge anywhere from $100 to $150 per user, per certificate, so in a
large company, that's a lot of money.

 

[Brian Tillman]

Yeah, I found them too. There are supposedly 3 approved vendors but
today I started looking in the Windows 2003 Certificate Authority
server and it's exactly the same thing one of the approved vendors is
using. Besides, these vendors charge anywhere from $100 to $150 per
user, per certificate, so in a large company, that's a lot of money.

It's not a question of what software the vendor use. Security certificates
involve trusting _who_ issued the certificates, not how they were issued.

 

[neo [mvp outlook]]

I'm not entirely sure where you want to go with this issue other than you
expressing displeasure that DOD is establishing a guideline of what must be
done for certain business transactions.

Perhaps http://iase.disa.mil/pki/eca/ will offer some additional insight.

 

[Tom Pennington]

Well I was hoping that someone could shed some light on this as it seems the
only thing the vendors are interested in is selling you a certificate and
nobody is actually telling you what you are supposed to do with it once you
get it. The other problem is that it's on a user-by-user certificate and
there is no "Enterprise" solution available.

Well, after poking around a bit today, I realized that the Microsoft CA
server is being used by one if not all of the verdors that DoD has approved,
so I gave it a whirl on one of my W3K servers. It seems like that will
work, but I have no idea if DoD will accept it since according to everything
I've read, only certificates issued by the 3 approved vendors will work.
What the info doesn't say is what happens if you try and send an email with
it being digitally signed? I'm assuming that it will be rejected, but
nothing actually says that.

Am I displeased? You bet. As normal, something put out by DoD has everyone
jumping around but they have not given any clear direction to jump.

Tom

 

[Brian Tillman]

Well, after poking around a bit today, I realized that the Microsoft
CA server is being used by one if not all of the verdors that DoD has
approved, so I gave it a whirl on one of my W3K servers. It seems
like that will work, but I have no idea if DoD will accept it since
according to everything I've read, only certificates issued by the 3
approved vendors will work.

Again, it's not a question of whether or not a certificate you generate will
work. It's whether or not it can be *trusted*. A digital certificate is
supposed to be a document that says you are who you claim to be. If you
issue the certificate yourself, how can the recipient verify your claim?
The claim must be made by a trusted authority. Anyone can claim to be
whomever they choose. How does than guarantee the certificate isn't lying?
A trusted authority's claim, however, has been established as "the truth".
Certificates issued by them are certified to be be truthful. The penalties
of falsifying a certificate are enormous, when it comes to the government.