Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
- Subject: Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
- From: Basil Decina <email@hidden>
- Date: Thu, 22 Jan 2009 20:16:16 -0500
Back on this thread...
All but one of these problems is solved...
Has anyone experienced a CAC-signed e-mail from Apple Mail containing
only one e-mail cert, not two. The two certs should be the ("Encrypt,
Verify, Wrap, Derive") and the encryption cert ("Wrap") but only the
first was embedded in the message. (I had to go to https://dod411.gds.disa.mil/
and manually download the other cert.) With only one cert, I could
not encrypt to the person. With both, I could.
Also, this person receives both of my e-mail certs (when I sign a
message using Apple Mail) but cannot send an encrypted e-mail back to
me. (They can send me a signed e-mail --- containing only their first
cert --- and can decrypt my e-mail to them.)
We are both running 10.5.6 using a CardMan 3021 by OMNIKEY. I'm
using an GEMAIL TO GCX4 72K CAC and he is using an Oberther card.
Thanks in advance, Basil
On Jan 12, 2009, at 1:57 PM, Basil Decina wrote:
Joe (and others),
Thanks for the response. I got it working and now can encrypt. A
little bit of a PEBKC problem but also a "perfect storm". One of
the addresses I tried to encrypt to only sent me their signing cert
("Encrypt, Verify, Wrap, Derive") not their encryption cert ("Wrap")
--- I have to find their public cert on the CAC web site and
download it. Another person used to have a cert that matched the
case of their e-mail but it was changed and they were issued another
cert with different case (so I had to manually match this). The
last person I tested used a different e-mail that was on their cert
(and others in their organization) so I had to dig through the cert
to find the real e-mail address.
So, I'm fine now. I would be nice to be able to arbitrarily assign
a cert to an e-mail address but I don't I can. If you right-click
on a cert in Keychain, there is a place to set a "New Certificate
Preference" but it doesn't seem to override the e-mail used in the
cert. (PGP used to let you do this.)
Thanks again, Basil
On Jan 10, 2009, at 12:06 AM, Joe O'Toole wrote:
Hey there, Basil!
I have both 10.5.6 and Mail 3.5 and I'm able to encrypt and sign
messages. This was originally a clean Leopard install with it
being updated to 10.5.6 on a MBP prior to setting up the CAC. No
additional drivers or software were installed.
--I have an 'Oberthur ID One V5.2a Dual' card which I was issued a
couple months ago
--I am using one of the ActivIdentity USB v2.0 readers flashed with
SCR 331 v5.18 firmware (I had it work off the bat, so I haven't
updated to v5.25...not to mention: If I don't HAVE to boot up a
winblows machine to update the firmware, I won't). I originally
set it up successfully using the Omnikey 3021, but grudgingly had
to give it back to it's owner
The 10.5.6 upgrade came updated with a new CCID class driver, but
I'm not sure if it would be due to that or not since you can
encrypt/decrypt to yourself. I would try removing the CAC cache
and possibly deleting your original certificates, restart...add the
certificates back in, close Keychain Access and then open Mail and
try again. It's weird that you can encrypt to yourself with no
problem, but not anyone else. That just sounds like your missing
the recipients certificates within your Keychain. Did the other
person upgrade in the same exact fashion as you?
Let us know how it goes. Others may have some different
suggestions, too. ;-)
--Joe O'Toole
On Jan 9, 2009, at 7:06 PM, Basil Decina wrote:
Can anyone encrypt with their CAC under MacOS X 10.5.6, Apple Mail
3.5 ? I upgraded to 10.5.6 and my ability to encrypt messages
broke. (It certainly worked under 10.5.4 and I'm pretty sure it
worked under 10.5.5.)
I can sign new messages and decrypt old ones. I can even send
myself an encrypted mail and decrypt it --- but I can't encrypt to
anyone else.
I'm using a CardMan 3021 by OMNIKEY with a GEMAIL TO GCX4 72K
CAC. Another person with the same configuration, except using an
Oberther card, is having the same problem (but he can't encrypt
messages to himself). Both cards were issued to us in November,
2008.
Thanks, Basil
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden