Re: [Fed-Talk] Setting up Mac Mail for CAC Signing & Encryption
Re: [Fed-Talk] Setting up Mac Mail for CAC Signing & Encryption
- Subject: Re: [Fed-Talk] Setting up Mac Mail for CAC Signing & Encryption
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 07 Mar 2006 08:08:27 -0600
Brian Cadwell wrote:
That is a great job of documentation. I'm still not clear on why you are
clearing the token cache and copying the public certs to your keychain. I
understand that you can't get it to work for you any other way, but I'd like
to understand what is happening there.
tokend maintains a certificate cache indexed with the CAC hardware
identifier, which is unique to each card. What happened to Scott is
that he got new certs without getting a new card (very likely using an
UMP-PIP CAC update workstation, something the AF [whom I support] hasn't
widely deployed yet). tokend is apparently assuming that certs on a
given CAC never change (i.e., new certs == new card), which is generally
true but not completely true. So when Scott inserted he updated card,
tokend presented the old certs from the cache instead of updating the
cache from the card. This is certainly a bug (or more correctly,
"working as designed" as we used to say @IBM).
Ideally you shouldn't need to manually copy the new certs to tokend's
cache. I'd ask Scott if he killed and restarted tokend (or rebooted)
before manually filling the cache. If he did and it didn't work, I'd
call that a second bug.
Also note that email address matching is case sensitive with Apple mail. You
might want to add that little tidbit to your documentation for folks that
have their email addresses recorded as ALL CAPS!
Interestingly, RFC2822 doesn't say anything on case-sensitivity on the
local-part of an addr-spec, but RFC2821 *does* specify that the
local-part of a mailbox MUST be treated as case-sensitive. Most
implementations get this wrong, however, and treat the local-part as
case-insensitive as so long as the message is being delivered to an
end-user (vs. a command to some other application). So Apple is doing
the right thing, though it's extremely annoying in this case. :)
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden