[EAS] FW: New Sage Update

Sean Donelan sean at donelan.com
Thu Sep 6 00:33:20 CDT 2018 

On Wed, 5 Sep 2018, Ed Czarnecki wrote:
> It is a "digital cert thing" not so much an "IPAWS thing."  And to be fair
> to FEMA IPAWS, they have provided the certs as soon as they got them from
> their source.  For whatever reason, certs tend to be generated a month or
> less before expiration date.

Yes, the Federal PKI community is a bit of bizzaro world.  They are very 
dedicated people who care a lot about PKI.  But sometimes their decisions 
drive everyone else in government a bit crazy.  For example, they are 
removing the Federal Common Policy CA from Microsoft, Apple and Android 
trust lists, which means IT people have to make a change on millions 
of federal laptops, computers and smart phones.  If you think EAS 
broadcasters are complaining, you should hear the moaning and whining from 
the government IT folks ;-)

Trilithic got lucky this time, and doesn't require change to their 
certificate store. Trilithic uses the stand-alone IdenTrust Global 
Common Root CA instead of the cross-signed version with the Federal Common 
Policy CA. The stand-alone IdenTrust cert doesn't expire until 2034. It 
works, but doing it that way will likely make the Federal PKI community 
cranky.

> We're hoping we all can move towards an automated approach to certificate
> updating (FEMA together with the EAS manufacturing community).  We
> understand it's troublesome for the EAS community (whether it's one small
> station with a contract engineer, or a major cable operation with hundreds
> of sites to update).  It's also not so great for EAS manufacturers, who need
> to defer other priorities, not to mention handle the hundreds of related
> emails and calls.

In theory, xmldsigned messages, i.e. the CAP XML message distributed by 
IPAWS, can include the entire intermediate cert chain used to sign the CAP 
message. This would ensure receipients received the same (and complete) 
intermediate certificate chain used by the signer. Similar to how 
different websites exchange intermediate CA chains with browsers now 
instead of loading intermediate CAs in certificate trust stores. Most 
certificate trust stores, e.g. Microsoft, Apple, Android only include
Root CAs now.

Alert originators would get the intermediate CA chain at the same time 
they obtained their signing certificate. The alert origination software 
would add the intermediate CAs as part of the xmldsignature.

But that would require likely alert origination software changes, EAS and 
public IPAWS-OPEN client software changes, and lots of testing by 
everyone involved.

More information about the EAS mailing list