Martin, I am including my reply on list to help others too.
When our customers request a compliance with (insert any term or misuse of term), they are requesting that their web applications are to authenticate against an established Public Key Infrastructure (PKI). It is typically a client certificate on a smart card, in the DoD the Common Access Card (CAC). These smart cards are to comply with HSPD-12. To properly use the client certificate the system must check it revocation status too. Further the server too needs a certificate, and the authentication must be reliable, (don't use a cookie as the authorization). Please if you would like any information, please email us. If you are looking for non-consulting advice and help email on list, if you are looking for professional consulting services email off list. We are glad to help, FOSS, 501(c)3, .GOV, and .com. Jason Pyeron -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Sr. Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. > -----Original Message----- > From: Martin Gainty [mailto:[EMAIL PROTECTED] > Sent: Monday, January 14, 2008 11:33 > To: [EMAIL PROTECTED] > Subject: Re: Is Tomcat FIPS compliant > > Hi Jason > > If I can ask a Dumb question as I am unfamiliar with the acronyms > How does cac make any system FIPS compliant? > Is there any documentation specifying a CAC will enable an > entire or some > part of a system to be FIPS compliant? > > Thanks > Martin > ----- Original Message ----- > From: "Jason Pyeron" <[EMAIL PROTECTED]> > To: "'Tomcat Users List'" <users@tomcat.apache.org> > Sent: Monday, January 14, 2008 10:33 AM > Subject: RE: Is Tomcat FIPS compliant > > > > Under proper configuration and installation, yes it can be > compliant, we > > routinely set it up to handle CAC. > > > > > -----Original Message----- > > > From: Mark H. Wood,UL 0115A,+1 317 274 0749, > > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark H. Wood > > > Sent: Monday, January 14, 2008 10:00 > > > To: users@tomcat.apache.org > > > Subject: Re: Is Tomcat FIPS compliant > > > > > > That probably depends on which FIPS you mean. There are > at least 201 > > > different U.S. Federal Information Processing Standards. > > > > > > -- > > > Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] > > > Typically when a software vendor says that a product is > "intuitive" he > > > means the exact opposite. > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > - - > > - Jason Pyeron PD Inc. http://www.pdinc.us - > > - Sr. Consultant 10 West 24th Street #100 - > > - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - > > - - > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > This message is for the designated recipient only and may contain > > privileged, proprietary, or otherwise private information. If you > > have received it in error, purge the message from your system and > > notify the sender immediately. Any other use of the email by you > > is prohibited. > > > > > > > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]