[EAS] Sage Update Available

[Sean Donelan]

On Tue, 5 Nov 2019, Sean Donelan wrote:
> The November 8 deadline is a 'soft' deadline.  Participants can change the 
> box configuration to ignore invalid signature problems.

As has been pointed out, that is not compliant with 47CFR11.56(c) "EAS 
Participants shall configure their systems to rejectall CAP-formatted EAS 
messages that include an invalid digital signature."

Vendors originally shipped CAP boxes with default configuration settings 
which didn't validate digital signatures. Many boxes in the field still 
use the original default configuration settings, unless someone 
updates the original configuration.

You can tell this happens when people ask on various EAS lists about 
'missing' alert messages, while other people say they had no problem 
getting the alert message.  The people 'missing' the alert message were 
configured to check signatures correctly, and the people who got the alert 
were misconfigured not to check signatures.

Of course, you are also out-of-compliance by not promptly installing
new CAP digital certificates. Which non-compliant alternative do you 
choose?

INAL, as always, consult a licensed communications attorney.

It would be nice if more CAP vendors followed recent X509 PKI practices, 
and automatically updated intermediate CAs online.  Apple, Google and 
Microsoft automatically download intermediate CAs now.  Mozilla does not.
Yes, there is a big debate between the Mozilla developers and the other 
browser developers on this topic about manual vs. automatic CA management.