Need help understanding security requirements

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I do free lance marketing and advertising and I have a prospective client
who says my computers must meet certain requirements before they will do
business with me. They listed the following:

Digital Certificate (including CAC)

Microsoft Cryptographic Application Programming Interface (Crypto API)

Dynamic Linked Library version

I don't know what these items are. Can someone please enlighten me? I have
Windows XP Pro on one computer and XP Home on a second computer. I use
Outlook Express for email. Do I already meet any of these requirements and
if not, what would I need to do to meet these requirements?

Thank you,

Steve Smith

Re: Need help understanding security requirements

Steve Smith wrote:
Quoted text here. Click to load it
You have the crypto API, and the DLL.  The CAC is a smart card that
contains a digital certificate.  Word of warning here as there are
several CAC types available and you may need to be cognizant of which
CAC certificate compatibility is required and the required cert length
as there are several cert types used by different entities.  Obviously
you will also need a compatible CAC reader and supporting CAC software.

Typical smartcards (CAC) run about $50 to $75  Readers run under 50$ and
the authentication software for the CAC typically runs about $100 (low

I believe you will also need Outlook instead of Outlook express.
Typically that runs about $100 by itself or about $400 if you by the MS
office suite.  I have been unsuccessful in getting CAC to authenticate
successfully in Firefox (web transactions).  It has required IE 5.5 or
above to successfully do web CAC authentication, your mileage may vary.

Q:  Do they indicate who the cert authority will be?  There is typically
a charge for this service and for writing the certificates to the CAC.


Re: Need help understanding security requirements

Quoted text here. Click to load it

OK, I'm going to be a pain in the ass; but, I assure you, my motives are
pure :-)

The three things you listed are labels, names, buzzwords, and NOT
requirements.  Without being as abrasive a prick as I am, you should
demand (request?) that your client make clear what it is *exactly* that
he wants.

However, using guesswork and softening my stance a little, I assume your
client is obliged to conform to (or has adopted independently) certain US
DoD & GSA requirements which do "specify" (I'm using the word loosely)
some of the above buzzwords.

In short, these requirements mandate certain authentication methods
(digital certificates) possibly to be used in conjunction with CaCs
(common access cards - aka smartcards).  That is, to get access to their
(DoD/GSA) computer systems you must have certain authentication
credentials and run on a modern operating system (Windows XP & IE
qualifies - i.e., uses crypto API/DLL 2.0  - which tells you something
about how artificial all this shit is!)
As a Canadian I'm delightfully free of this bureaucratic morass, so
that's about as far along the path as I can take you.  Bonne chance!


PS    Here's one company that supplies certificates:

Site Timeline