Articles by: Timothy Perfitt

Apple has posted the Apple FIPS Cryptographic Module v1.1 and has an associated "How to set up and maintain a FIPS-enabled OS X Lion system" kbase.  FIPS validation is a certification program by NIST (National Institute of Standards and Technology) to verify cryptographic modules.  It appears from here that the CDSA module is 140-2 level 1 certified. For those not versed in the dark details of FIPS certification, Wikipedia defines 140-2 Level 1 as "all components must be "production-grade" and various egregious kinds of insecurity must be absent".

 The interesting piece to all this is in the "additional information" section of the "How to set up and maintain a FIPS-enabled OS X Lion system" kbase:

"OS X Lion security services are now built on a newer "Next Generation Cryptography" platform and have transitioned from the CDSA/CSP module previously validated on Mac OS X v10.6. However, Apple has re-validated the same CDSA/CSP module under OS X Lion to provide continued validation solely for third-party applications."

 So Lion is not FIPS validated, but the CDSA on Lion is, but only 3rd party apps use it.  Clear?

Well, that was fast.  WWDC 2012 tickets sold out in record time!  Hopefully you got yours, but if not, there is always the videos.  Now we just need to wait to hear the screams from the folks on the West Coast and as they wake up and realize what happened.  Not to mention our friends in Australia and Asia!

WWDC 2012 has been announced for June 11-15, and tickets are now available!.  Run, don't walk, to https://developer.apple.com/wwdc/ and grab yours now.  Every year it sells out faster, and this year should be no exception.  AFP548.com is in the planning stages for some cool stuff around WWDC, so stay tuned.  Now head over to https://developer.apple.com/wwdc/ and get your ticket already!

If you have an Open Directory infrastructure, and you want to secure your connections between the client and Open Directory services using SSL, the simplest solution is to purchase SSL certificates and install the certificate on your Open Directory Master and each Replicas.  However, each server will require its own certificate.  In this article, we'll look at how to create a Root Certificate Authority and how to create and sign certificates for your Open Directory Master and Replicas.

Read on for more…

If you are in an environment where you are integrating Mac OS X with a 3rd party KDCs, you already know about builtin:krb5authnoverify addition to your /etc/authorization.  But did you know that you can use the builtin:krb5authenticate option to provide better security by assuring that your KDC is not being spoofed?  Are you safe from the "Zanarotti attack"?  Read on to find out how to get it set up and running.

Leopard Server has all of the pieces installed for sieve filters for server-side mail filtering, but if you want to use the SquirrelMail filter interface to allow users to add filters, then you have to do a little work.  We've provided a pkg to install the avelsieve package that allows you to install it the plugin to SquirrelMail, but it is a bit incompatible with 10.5 Server.  

Read on to see how to resolve it….

This is a tale about getting rid of postfix-watch.