Re: [Fed-Talk] Common Access Cards with Entourage 2004 and Tiger
Re: [Fed-Talk] Common Access Cards with Entourage 2004 and Tiger
- Subject: Re: [Fed-Talk] Common Access Cards with Entourage 2004 and Tiger
- From: Brian Cadwell <email@hidden>
- Date: Tue, 03 May 2005 16:45:32 -0400
A note for those of you trying to sign mail messages with Mail.app and your
CAC (just PKI really). My understanding is that for SMIME support Mail.app
assumes that everything to the right of the @ symbol on your address is case
sensitive. So if your account address is entered into Mail.app in all lower
case letters, but your CAC email address was entered all in capitol letters
(like mine was), Mail.app will *appear* to not see your certificates. In
fact there is no indication of any kind of problem. Apparently this behavior
is the result of strict adherence to the RFC #822, which does indeed
indicate that the local-part of the address requires case preservation. Hard
to argue with that, but I'm not aware of any other client that works like
this, so users are bound to be confused... I know I was.
bc
On 5/3/05 2:53 PM, "Shawn Geddis" <email@hidden> wrote:
> On May 3, 2005, at 2:25 PM, Thomas Doligalski wrote:
>
>> I've upgraded our Macs to Tiger, but am puzzled as to how to get
>> Entourage to work with our CAC cards. I can successfully see the
>> cac reader (with pcsctest), but am unsuccessful with the new cac
>> viewer program (which I had
>> to manually install from the Tiger installation disk).
>>
>> Anyone know how to configure Tiger to support smart cards?
>>
>> Tom
>
> Tom,
>
> The nice thing about the work we did with Tiger with respect to Smart
> Cards (i.e. CAC, PIV, ...) is that there is nothing special you need
> to do to use it for S/MIME under Mail.app or third-party applications
> like Entourage 2004 or higher.
>
> With a supported reader and a supported Smart Card Type (CAC, PIV,
> JPKI, BELPIC, ...) the Private Keys and Certs appear in the
> corresponding Smart Card *Keychain* (It is a 'reference' and not the
> actually data since a private key can never leave the Smart Card).
> Tiger fully abstracts Smart Cards as Keychains, hence any application
> that already leverages the certificates/keys within keychain will
> automatically get support for Smart Cards with no vendor
> modifications necessary. The typical scenario would be that the
> dynamic keychain that represents the Smart Card inserted would have
> the name "smart card #2" (if you insert multiple cards you will see
> "smart card #3", "smart card #4", ....)
>
> In Entourage 2004:
>
> * Select "Account Settings..."
> * Select the desired account
> * Click on "edit"
> -- The Edit Account Panel will appear
> * Click on "Security"
> * For each of the Certificate options (Signing / Encryption)
> -- Click on "Select" and select the appropriate Certificate
> from the Smart Card
> + Be care to select the Mail Cert and not the ID Cert
> for the Signing Cert.
> * Done!
>
>
> My Smart Card Setup and Configuration Guide for 10.3 will be
> drastically reduced in sized when revamped for 10.4. I am working on
> that update now.
>
>
> For those previously and currently using PC Card Smart Card Readers
> need to keep in mind that Tiger modified the kernel extension design
> and hence the older Panther driver/kext will NOT work under Tiger.
> The PC Card Smart Card vendors do have Tiger compatible drivers/kext
> for those readers -- I will have them available as well.
>
>
> -Shawn
> ___________________________________________
> Shawn Geddis
> Security Consulting Engineer
> Apple Computer - US Federal Government
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
bc
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden