Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- From: "Timothy J. Miller" <email@hidden>
- Date: Wed, 03 Jan 2007 13:14:10 -0600
J. Keith Putnam wrote:
You do not have access to this page based on the certificate you have
chosen. If you are prompted to choose a certificate, be sure to choose the
one with YOUR NAME and "Email" in the description. Also, verify that the
certificate is not expired. You can do this by clicking on "View
Certificate" at the "Choose a Certificate" prompt.
If anyone has replied to Mark Thibert directly and is willing to share with
me, I would appreciate it.
This is the result, from what I've been told, of the server not
returning an error when the wrong cert is presented to the server. A
number of DoD sites do this in order to redirect to a custom error page,
typically containing some CAC-related instructions. This in itself
isn't a problem, but Safari will not see the credential refusal (no SSL
error code was returned) and thus will not fall through to the next
credential (which in the CAC case will be the right one).
A fix for this would be for Safari to *not* auto-select certificates
when authenticating to websites, but Apple has good usability reasons to
do so.
In Keychain Access, you should find an identity preference for the site.
Delete it and hit the site again. If you're prompted with a cert
selection dialog, select your email signing cert and you *should* be
good to go.
If you're not prompted, delete the ID preference again. There's a
AppleScript application floating about somewhere that will allow you to
set ID preference to the correct cert on a per-URL basis; this will
allow you to work around this problem. Someone here should have a copy;
I had it but I can't find it.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden