• View
• Edit
• History
• Print

ECA

External Certificate Authority (ECA)

Certain contracts require a External Certificate Authority (ECA) certificate.

• http://iase.disa.mil/pki/eca/index.html - ECA PKI Program

Procedure

1. Go to the Verisign site at http://www.verisign.com/authentication/government-authentication/dod-interoperability/index.html for a "Medium Assurance ECA"
2. Follow the "Notary" path, we do not have a Trusted Agent.
3. Print off the form, take it to a notary public along with two forms of unexpired government issued picture ID. I suggest a passport and a driver's license. There is a campus notary, see http://www.cp.berkeley.edu/reso/Notary.htm. Otherwise, find a otary and pay $10.
4. Take the form to Jean Richter, who will authenticate that you work for UCB.
5. Fax or mail it to Verisign
6. Verisign will eventually authorize the ECA and send email with a URL from which you can pick up your ECA.
7. Be sure to back up your ECA.

ECA Vendor choice

https://jiffy.rome.af.mil/static/ECAFAQ.html - AFRL Rome ECA FAQ says:

A 1 year certificate is $109. Unfortunately, during the application process, Identrust certificates misidentify Firefox 3.6.3 under Mac OS X 10.5 as "Netscape" and reports "This configuration is not compatible for retrieving and using the digital certificate you have selected. If you intend to use your digital certificate with this browser, you will be asked at the end of the application phase to upgrade, or you may choose to upgrade later, during the retrieval phase."

A 1 year certificate is $119. I went with Verisign.

A 1 year certificate is $109. Unfortunately, eca.orc.com requires that I trust their Certificate Authority. This is stupidly and wildly insecure. Anyone who does so is a fool. "You will need to Trust the ECA Root Certificate Authority and the ORC ECA Root Certificate Authority. This only needs to be done once (unless there is a notice telling you that an update was made). A browser check will be conducted sending you to the appropriate page."