[Fed-Talk] Leopard Mail, Address Book, Key Chain Access interactions for X.509 certificates
[Fed-Talk] Leopard Mail, Address Book, Key Chain Access interactions for X.509 certificates
- Subject: [Fed-Talk] Leopard Mail, Address Book, Key Chain Access interactions for X.509 certificates
- From: Paul Derby <email@hidden>
- Date: Thu, 15 May 2008 13:23:06 -0400
Can anyone explain the internal sequence of events as to how Mail, Key
Chain Access and Address Book communicate and interoperate with each
other?
I have an individual who had an expired x.509 certificate on my
keychain. So I ask him to send me a signed, encrypted email which I
receive and read. I click on the checkmark seal in his email message
and am told the certificate is valid.
I go to the same individual's entry in the Address Book and check on
the seal next to the individual's same email address (same case, too),
and am told the certificate has expired. So obviously, receiving a
new certificate for an individual with an expired certificate does not
cause an immediate update for Address Book. The new certificate did
end up in the keychain.
I quit and launch Address Book and the certificate query still says
the certificate has expired. So relaunching Address Book still
doesn't link the new certificate to the person in address book.
Mail thinks the certificate is good. I can now send and encrypt with
the new certificate but Address Book reports the certificate is
expired - must still be pointing to the old certificate instead of the
new certificate.
Keychain Access has both certificates, and it makes no sense to throw
away the old certificate unless you want to lose the ability to
validate signatures done with the expired certificate for older email.
There is scant documentation on Keychain Access on the Apple web site,
except how to rebuild keychains when they become corrupt which happens
all too often.
We are spending hours and hours baby sitting x.509 certificate issues
on OS X due to usability problems, voodoo behavior of the applications
that interact with certificates, and lack of documentation at both the
user level and the sys admin level/corporate support level. I suppose
those of us in the government sector are the main users of
certificates at this point. It would sure be nice if someone could
point to where someone (anyone) has figured out and documented the
interoperability behavior of X.509 amongst Address Book, Key Chain
Access and Mail.
Paul
(An OS X fanboy)
--
Paul Derby
Chief Enterprise Architect
supporting CBED Systems Program Office as IT Lead
Department of Homeland Security
email@hidden (preferred)
email@hidden
703-647-2745
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden