Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 21
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 21
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 21
- From: "Miller, Timothy J." <email@hidden>
- Date: Wed, 28 Jan 2009 16:56:51 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 21
On 1/28/09 3:25 PM, "Paul Derby" <email@hidden> wrote:
> We've had a long standing bug report where it appears that if a user installs
> another certificate containing the same email address before the older
> certificate expires, OS X uses the older instead of the newer certificate. As
> far as we can tell the user has not control over which unexpired cert can be
> used or any easy way to purge the certs.
That would be exactly backward. All else equal, the newest cert is more
likely to be valid. That's common PKI wisdom that may actually be captured
in a standard somewhere; I'll have to go look.
> Is there a similar cache for certs on the keychain that can be rebuilt or
> blown away as there is with the CAC certs?
You may be able to remove the cert without removing the private key. This
would allow you to decrypt inbound messages. I've never tried it, so I
could be suggesting something stupid. :)
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden