Firefox and the Common Access Card (CAC)

I meant to report for anyone else who wants to do this that I managed to get the SSP / Litronics NetSignCAC middleware to work with Firefox and Mozilla. ‘CAC’ is an acronym for the Common Access Card, and it’s the ID card for all Department of Defense personnel (both military and civilian). It’s a smartcard made by Schlumberger that stores DoD-issued x509 certificates that can be used for all the regular things that x509 certs are for: signing email, authenticating to web sites, etc.

The frustration was that using the CAC requires some ‘middleware’ that enables the client application (i.e. the web browser) to extract the certificates from the card. There’s an industry-standard API for this called PKCS #11, and SSP has built middleware that implements it for the CAC. My IT support folks loaded the appropriate middleware, but it only worked with Internet Explorer.

So, to load the middleware with Firefox or Mozilla, I stumbled around for quite some time trying to use the ‘Manage Security Devices’ tab under the preferences dialog. That didn’t work. What worked was bringing up the page file:///C:/Program%20Files/SSP%20Solutions/NetSign%20CAC/CryptoInstall.htm, which the contained some magic that the browser needed to install the middleware. Poof!

Alas, that wasn’t enough. Once I’d done that, Firefox would pop up a dialog requesting the PIN for my CAC, but I still couldn’t authenticate to web sites that require a client certificate. The problem, I believe, is bug 154246 and bug 154255 in Mozilla/Firefox Network Security Services; it can pull a client cert from a smartcard, but doesn’t pull the entire chain. Until this has a better solution, the workaround was to explicitly load my certificate authorities into Firefox. I did this by sending myself a signed email, examining the certs on the email, exporting my Root CA and Intermediate CA certs, and then importing those into Firefox as trusted CAs. Viola! I can use my CAC with Firefox.

November odds-and-ends

Megan has moved beyond walking just a few steps, to walking as a preferred mode of travel. She still falls down when encountering any small obstacle, but she’s getting better everyday. She had her first peanut-butter and jelly sandwich today. While she’s always been cute, she is getting more fun as she discovers how to do more things. She’ll climb into her toy box, or figure out how to put one toy into another and carry them around.

In the nostalgia department, I visited the house in Orlando where I lived when I was four years old. I don’t remember much about that house and I had a fair bit of trouble finding it. (The name of the street has changed from North Bay Road to Main Street) The roads were still the same dusty gravel. The current owners were the same ones that bought the house from my parents 27 years ago, and in fact, still had a toy ("park-n-play") that I recognized. (They offered to show me the toy as long as I promised not to claim it.) The lake (Lake Butler) was the same. Most of the oaks are gone, victim of one hurricane or another.

I’m thinking about building a Wiki engine for work and home. I’ll do it in mod_perl, of course. There is at least one Wiki engine already (MiniWiki) that’s built for mod_perl, and I’ll examine that for use as a base. Feature wise, I need something that’s Public Key Enabled (PKE), to provide for easy identity management for DoD users, and provides a basic level of authorization. Also, I’d like to have an associated discussion thread for each WikiNode, that does not use the Wiki editing metaphor. I can’t stand the clutter of using a Wiki as a discussion board. Wikipedia does this well, I think. I also have a vision of having a easy-to-use upload and link/embed mechanism using a "clipboard frame" on the side. (But first-things-first, I have to get the basics working.) Embedding Kupu would be a nice feature also. And I saw a neat javascript drawing tool too. Hmm.

I’ve gone over 1000km on my scooter, which means it’s due for a check-up. I’ve really enjoyed having the scooter and commuting on it, but it’s starting to get significantly cold, and I need to have a better mechanism for staying warm while riding.

Walking

Megan started walking yesterday, while I was at work. Unfortunately, we were hosting some big meeting in the conference room, and I had to both attend and escort, so I couldn’t come home to see it until late, and I missed it. This morning she won’t walk again. Sigh.

Work Blogging?

I’m thinking that I should start writing daily blog entries about what I do at work.  Then I can publish that sort of information to my boss and co-workers. This will require some enhancement of the blog-engine, since I don’t want my "personal" blog entries to interfere with my "work" entries and vice-versa.  So I need to add a "category" field to the database, and to the management screens.

Today I downloaded the NCES SDKs (which is just the security and service discovery services, so far) and read through the FAQ’s and User Guides for them.  They’re java implementations, and I don’t have a working Java IDE for my work computer (which is temporary anyway), or for home.  (I did once, but it’s bit-rotted.) 

It’s annoying to not have the comforting tools of my own machine (i.e. my linux-server) here at work.  Sure, it’s just a network connection away, but my DSL line is kinda slow.  I also installed Cygwin on my work machine, which makes it passingly more useful to me.

I updated the Kupu editor last night for the Blog engine to version 1.1, because 1.0.3 was not working well with the stupid IE version here at work.  It’s working, but the title property isn’t updating.  Grr.  Hmm. I do have netscape 4.7 installed… I wonder if that would work.  I suppose I could just install Mozilla for win32. 

Oh, I also read some about FCS today – the DARPA C2 Experiment 4 Phase 2 report.  It’s passingly interesting.

I chaired a meeting of the OSD Desktop Engineering IPT, too.  Attendance was poor (5 people), but progress was good.  I tasked a bunch of stuff to Quintin; all of which is pretty easy but should have big returns, such as setting up the central repository, etc.

Hmm.  Gotta remember to talk to Ki tomorrow.

Scooter!

Last week I started a new job with the Office of the Assistant Secretary of Defense (Networks and Information Integration). My new office isn’t in the Pentagon anymore, (Huzzah!) it’s in Crystal City. The down side of this is that I’m slightly farther away from home in the new space, but the up side is that I’ve used this as an excuse to buy a motor scooter.

In Virginia, like many places in the US, vehicles with less than 50cc displacement engine are technically described in the law as "mopeds", and are regulated pretty much like bicycles. In other words, you don’t need a motorcycle license, nor does the vehicle require license plates or registration. Most important for this area, it’s perfectly legal to park them anywhere you would park a bicycle. (Parking in Crystal City currently costs about $110 USD per month.) Plus, it’s fun to ride!

Little Egypt

She walks, she talks, she crawls on her belly like a reptile! *

Well, that’s not a very flattering description of my daughter, and not particularly accurate either, since she doesn’t really walk yet. But this past week she both started crawling and talking. She’d been big with the "AAAAH!" previously, but she never really had any consonants. Now she can say, "Da da da da da da da."

It’s not a big vocabulary, but it’s still exciting.

* For those who don’t understand the reference, the Coasters recorded a song called "Little Egypt" that included this line.

Gentoo

I’m resurrecting my older computer (affectionately named ‘Dustpuppy’), to be an audio server for the bedroom. (And any other tasks I can think of to offload to it.) Including serving as a wireless access point via the HostAP drivers.

I’m using the opportunity to experiment with Gentoo Linux. Wish me luck. At first glance Gentoo seems neat, but builing everything from source (which I used to do as a matter of pride) now seems merely time consuming.

I’d really like to make the thing into some sort of appliance, like I did when I developed PictureFrame Linux. If the filesystem were read-only, and served out as a network file from the server, there’d be less to get outdated and possibly break or serve as a vulnerability.