[EAS] New Sage Update

[Harold Price]

There may be a little confusion about the signing certificates.
While this is the same basic public key encryption scheme as SSL uses to verify HTTPS web sites, the recent expiring FEMA cert is not an SSL certificate.
The cert were talking about is part of the chain that is used to sign a CAP message.  This is part of the digital signature scheme for XML messages on which CAP is based.
As currently used by FEMA, there are five certificates in the chain.  Here is a shorthand description of how this works. A unique cert is given to each originator.  Let's call this the leaf certificate.  The public part of the leaf certificate is included in the CAP message, and the private part is used to "sign" the message.  Inside the leaf cert is a pointer to the cert that was used to sign the leaf cert.  We call that next cert an intermediate cert.
That cert is not included with the CAP message.  It must be available to the device by some other means.  It is stored in the ENDEC.  That intermediate contains a pointer to the cert that sign it, as does each subsequent link in the chain.  All of these certs are stored on the ENDEC.
The last intermediate points at a root cert, which is also stored on the ENDEC.  All of the intermediates expire at different times, and are controlled by different entities in the government.  Some of them last two years, some three, some for one.  Various federal policies set these times, and limit how far in advance you can get a replacement.  For the cert at hand, the advance time was about 30 days.  While we (and FEMA) wanted to include this cert with the update for the May cert, the new cert wasn't available until now.
FEMA is working with the CAP/EAS vendors to come up with a way to do this without user intervention.  This recent cert expired before we could complete that work.  Hopefully we'll get a mechanism in place before the next expiration in 2019.
Harold