Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
- Subject: Re: [Fed-Talk] Can Anyone Encrypt with CAC under 10.5.6 ?
- From: Basil Decina <email@hidden>
- Date: Mon, 26 Jan 2009 16:59:20 -0500
To close this thread... Michael Kluskens gave me the secret trick...
It looks like sometimes, users only get one of their public e-mail
certs in their "login" keychain. When that happens, that user cannot
encyrpt e-mail to anyone. And, any signed mail they send, only sends
one of their two e-mail certs --- so others cannot send an encrypted
message back to them.
To fix this, I had to instruct the user to drag both e-mail certs off
their CAC and into their "login" keychain. Then, when they sent me a
signed message, I received both certs. From there on, that user could
encrypt outgoing e-mail and I could encrypt e-mail to them (without
going to the CAC graveyard in the sky to retrieve their public e-mail
certs).
Thanks Mike.
Basil
On Jan 22, 2009, at 8:16 PM, Basil Decina wrote:
Back on this thread...
All but one of these problems is solved...
Has anyone experienced a CAC-signed e-mail from Apple Mail
containing only one e-mail cert, not two. The two certs should be
the ("Encrypt, Verify, Wrap, Derive") and the encryption cert
("Wrap") but only the first was embedded in the message. (I had to
go to https://dod411.gds.disa.mil/ and manually download the other
cert.) With only one cert, I could not encrypt to the person. With
both, I could.
Also, this person receives both of my e-mail certs (when I sign a
message using Apple Mail) but cannot send an encrypted e-mail back
to me. (They can send me a signed e-mail --- containing only their
first cert --- and can decrypt my e-mail to them.)
We are both running 10.5.6 using a CardMan 3021 by OMNIKEY. I'm
using an GEMAIL TO GCX4 72K CAC and he is using an Oberther card.
Thanks in advance, Basil
On Jan 12, 2009, at 1:57 PM, Basil Decina wrote:
Joe (and others),
Thanks for the response. I got it working and now can encrypt. A
little bit of a PEBKC problem but also a "perfect storm". One of
the addresses I tried to encrypt to only sent me their signing cert
("Encrypt, Verify, Wrap, Derive") not their encryption cert
("Wrap") --- I have to find their public cert on the CAC web site
and download it. Another person used to have a cert that matched
the case of their e-mail but it was changed and they were issued
another cert with different case (so I had to manually match
this). The last person I tested used a different e-mail that was
on their cert (and others in their organization) so I had to dig
through the cert to find the real e-mail address.
So, I'm fine now. I would be nice to be able to arbitrarily
assign a cert to an e-mail address but I don't I can. If you right-
click on a cert in Keychain, there is a place to set a "New
Certificate Preference" but it doesn't seem to override the e-mail
used in the cert. (PGP used to let you do this.)
Thanks again, Basil
On Jan 10, 2009, at 12:06 AM, Joe O'Toole wrote:
Hey there, Basil!
I have both 10.5.6 and Mail 3.5 and I'm able to encrypt and sign
messages. This was originally a clean Leopard install with it
being updated to 10.5.6 on a MBP prior to setting up the CAC. No
additional drivers or software were installed.
--I have an 'Oberthur ID One V5.2a Dual' card which I was issued a
couple months ago
--I am using one of the ActivIdentity USB v2.0 readers flashed
with SCR 331 v5.18 firmware (I had it work off the bat, so I
haven't updated to v5.25...not to mention: If I don't HAVE to
boot up a winblows machine to update the firmware, I won't). I
originally set it up successfully using the Omnikey 3021, but
grudgingly had to give it back to it's owner
The 10.5.6 upgrade came updated with a new CCID class driver, but
I'm not sure if it would be due to that or not since you can
encrypt/decrypt to yourself. I would try removing the CAC cache
and possibly deleting your original certificates, restart...add
the certificates back in, close Keychain Access and then open Mail
and try again. It's weird that you can encrypt to yourself with
no problem, but not anyone else. That just sounds like your
missing the recipients certificates within your Keychain. Did the
other person upgrade in the same exact fashion as you?
Let us know how it goes. Others may have some different
suggestions, too. ;-)
--Joe O'Toole
On Jan 9, 2009, at 7:06 PM, Basil Decina wrote:
Can anyone encrypt with their CAC under MacOS X 10.5.6, Apple
Mail 3.5 ? I upgraded to 10.5.6 and my ability to encrypt
messages broke. (It certainly worked under 10.5.4 and I'm pretty
sure it worked under 10.5.5.)
I can sign new messages and decrypt old ones. I can even send
myself an encrypted mail and decrypt it --- but I can't encrypt
to anyone else.
I'm using a CardMan 3021 by OMNIKEY with a GEMAIL TO GCX4 72K
CAC. Another person with the same configuration, except using an
Oberther card, is having the same problem (but he can't encrypt
messages to himself). Both cards were issued to us in November,
2008.
Thanks, Basil
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden