What is the best practice correspondence for doing such a thing?
A what???
Quote from: abdsp51 on February 27, 2016, 07:05:04 PM
A what???
Public/Private key infrastructure depends on 2 things: A chain of trust, and availability of public keys to allow people to encrypt and send messages to them.
I have a smartcard. If I want someone to send me an encrypted message, I export the public key and make it available to them. That person can use that key to encrypt a message that only the smartcard holder can decrypt, as the smartcard contains the associated private key.
The public key on its own is useless for any malicious purpose, with the exception of initiating a brute force attack that will take longer than the heat death of the universe to achieve, assuming the keystrength and algorithm are implemented in accordance with best practices.
I'm assuming that CAC holders have the same capability based on publicly available information on how CACs work.
Your thread and question make no sense. I know about PKI maybe you need to rephrase your question and thread title.
Quote from: abdsp51 on February 27, 2016, 07:23:47 PM
Your thread and question make no sense. I know about PKI maybe you need to rephrase your question and thread title.
I'm not sure what more needs to be said. I explained what a public certificate is, I explained why a CAC holder would give one to someone. Now I'm asking the appropriate way to ask someone for one.
Quote from: Starfleet Auxiliary on February 27, 2016, 07:10:31 PM
Quote from: abdsp51 on February 27, 2016, 07:05:04 PM
A what???
Public/Private key infrastructure depends on 2 things: A chain of trust, and availability of public keys to allow people to encrypt and send messages to them.
I have a smartcard. If I want someone to send me an encrypted message, I export the public key and make it available to them. That person can use that key to encrypt a message that only the smartcard holder can decrypt, as the smartcard contains the associated private key.
The public key on its own is useless for any malicious purpose, with the exception of initiating a brute force attack that will take longer than the heat death of the universe to achieve, assuming the keystrength and algorithm are implemented in accordance with best practices.
I'm assuming that CAC holders have the same capability based on publicly available information on how CACs work.
Your "Basic" CAC card does not have that capability.
Quote from: Starfleet Auxiliary on February 27, 2016, 07:27:55 PM
Quote from: abdsp51 on February 27, 2016, 07:23:47 PM
Your thread and question make no sense. I know about PKI maybe you need to rephrase your question and thread title.
I'm not sure what more needs to be said. I explained what a public certificate is, I explained why a CAC holder would give one to someone. Now I'm asking the appropriate way to ask someone for one.
If you have a need to know for one you will get one.
Quote from: PHall on February 27, 2016, 07:32:09 PM
Quote from: Starfleet Auxiliary on February 27, 2016, 07:10:31 PM
Quote from: abdsp51 on February 27, 2016, 07:05:04 PM
A what???
Public/Private key infrastructure depends on 2 things: A chain of trust, and availability of public keys to allow people to encrypt and send messages to them.
I have a smartcard. If I want someone to send me an encrypted message, I export the public key and make it available to them. That person can use that key to encrypt a message that only the smartcard holder can decrypt, as the smartcard contains the associated private key.
The public key on its own is useless for any malicious purpose, with the exception of initiating a brute force attack that will take longer than the heat death of the universe to achieve, assuming the keystrength and algorithm are implemented in accordance with best practices.
I'm assuming that CAC holders have the same capability based on publicly available information on how CACs work.
Your "Basic" CAC card does not have that capability.
That's what I needed to know. Thanks!
See you IT rep at the place that issued the CAC. There usually is a web site you go to that downloads it once it verifies your credentials.
Quote from: Starfleet Auxiliary on February 27, 2016, 07:10:31 PMI'm assuming that CAC holders have the same capability based on publicly available information on how CACs work.
There's a button in Outlook that magically extracts/publishes my certs to ActiveDirectory for the rest of the AF to use... I've never heard of anybody manually extracting them.