[EAS] Certs and PKIs

Sean Donelan sean at donelan.com
Thu Sep 6 12:02:46 CDT 2018 

Much of it will depend on what role FEMA wants to take.

Will FEMA be just a passive clearinghouse of alert messages or actively 
manage identity of alert originators. For example, will NWS use 
certificates issued through IPAWS or will NWS use certificates issued 
through NOAA for its other weather products. If cross-border CAP messaging 
between the US IPAWS and Canada NAAD becomes a reality, it gets even more 
complicated than the normal inter-agency squabbles between federal agencies.

Likewise, the DHS CIO manages the infrastructure used by IPAWS. DHS CIO 
has its own certificate policies which has different certificates for 
apps.fema.gov, not managed by IPAWS. DHS CIO switched its certificates 
from GeoTrust to DigiCert last year. So you have different trust lists for 
the HTTPS connection and the CAP XML signature validation.

Apple, Microsoft, Google, Mozilla spend a lot to manage the certificate 
trust lists updates on their various operating systems. IPAWS is a niche 
product, so I don't know how much people will be willing to spend on CTL 
management.

On Thu, 6 Sep 2018, Ed Czarnecki wrote:
> The Federal PKI is changing in Nov 2019, so that is why there will be a cert
> update even though the cert expiration dates will not yet have not passed.
> All part of that arcane Federal PKI thing.  And to compound matters, the
> Federal PKI changes impact the vendors of these certs, which then in turn
> impact IPAWS (and then all of us in turn).
>
> I believe the 2019 change will impact the global common root, so all EAS
> vendors will need to be ready for that adjustment (setting aside the whole
> discussion of the appropriateness of using stand-alone certs instead of the
> FEMA-provided cross-signed certs).
>
> Canada has one method of semi-dynamically validating their certs in the
> Canadian NAAD system.  IPAWS is considering a different method.  All means
> to the same end - improved authentication of digitally signed CAP messages.
>
> -----Original Message-----
> From: EAS [mailto:eas-bounces at radiolists.net] On Behalf Of Sean Donelan
>
> On Wed, 5 Sep 2018, Ed Czarnecki wrote:
>> It is a "digital cert thing" not so much an "IPAWS thing."  And to be fair
>> to FEMA IPAWS, they have provided the certs as soon as they got them from
>> their source.  For whatever reason, certs tend to be generated a month or
>> less before expiration date.
>
> __________________________________________________________
> The EAS Forum Discussion List is hosted by the BWWG (Broadcast Warning Working Group). The Core members of the BWWG are Adrienne Abbott, Clay Freinwald, Suzanne Goucher, Barry Mishkind, David Ostmo, Darryl Parker, Richard Rudman, Gary Timm, and Sharon Tinsley. http://eas.radiolists.net
> Please invite your friends to join our Forum! The sign up is at: https://lists.radiolists.net/mailman/listinfo/eas
> ___________________________________________________________
>

More information about the EAS mailing list