Re: [Fed-Talk] X.509 certificate failures due to email case mismatch
Re: [Fed-Talk] X.509 certificate failures due to email case mismatch
- Subject: Re: [Fed-Talk] X.509 certificate failures due to email case mismatch
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 10 Sep 2007 13:18:23 -0700
On Sep 10, 2007, at 12:15 PM, Paul Derby wrote:
As we try to use X.509 certificates with our Macs running OS X with
other organizations like the national labs, DOE and DOD, we keep
running into problems with the certificate not working for
signatures or the ability to encrypt back to the sender due to
case mismatch in the RFC822 Name field.
It seems that Entrust, Tumbleweed and Windows XP don't care whether
or not the case matches in the RFC822 name field when compared to
the sender's email address. But with Mac OS X, the case has to
match exactly. So if someone sends from email@hidden and
their certificate RFC822 field is email@hidden, OS X doesn't
work.
Technically speaking, the local-part of an address is supposed to be
case sensitive, since only the domain-part has case insensitivity
defined (through the DNS RFCs, which are referenced in RFC2822 under
how to interpret the domain-part of an address). This is kind-of an
oversight, since case-sensitivity (either way) should always be
explicit rather than implicit.
AFAIK, Apple has the only MUA that has implemented it according to
the spec. This is both a good thing (compliance with a standard) and
bad (really is a PITA and a barrier to interoperability).
So--technically speaking--Apple has it right and the rest of the
world is wrong.
Any ideas on how to get around this problem on the OS X end to tell
OS X to use certificates when the case in the email address doesn't
match?
Pay Apple money? :)
You could always join the IETF working group and change the RFC.
I don't mean to be snarky (well, yes I do, but in a friendly way :),
but I've been beating Shawn up about this for years. Four years,
actually. On-list and in person.
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden