Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
- Subject: Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 12 Jan 2009 14:04:03 -0600
Basil Decina wrote:
The last person I
tested used a different e-mail that was on their cert (and others in
their organization) so I had to dig through the cert to find the real
e-mail address.
The email address in a DoD cert is very likely not correct. Well, it
was correct when the cert is issued, but DoD users tend to move around,
get re-org'd, and new naming standards get published every couple of
years, etc. These conspire to age the email address pretty damn quickly.
So, I'm fine now. I would be nice to be able to arbitrarily assign a
cert to an e-mail address but I don't I can.
MS Outlook has an option to ignore the S/MIME requirement that the email
address in the cert match the recipient mail address. In an effort to
keep DoD CRLs from taking up more bandwidth than spam (DoD CRLs are
*massive*), a decision was made years ago to *not* require cert
re-issuance when the email address changes, and instead leverage this
option (called SupressNameChecks [sic] if you're interested).
Apple has generally refused to do this.
All is not lost. DoD is moving toward department-wide permanent email
addresses, so someday the address in the cert will never change.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden