Re: [Fed-Talk] mail uses old x.509 certificate
Re: [Fed-Talk] mail uses old x.509 certificate
- Subject: Re: [Fed-Talk] mail uses old x.509 certificate
- From: "Walls, Bryan K. (MSFC-IS30)" <email@hidden>
- Date: Thu, 5 Mar 2009 17:47:37 -0600
Don't know if it applies to your case, but our current signing
certificates don't include an encryption public key. They only include
the following Usage:
Digital Signature, Non-Repudiation
Our older keys did include the public key info. So if someone had my
certificate from an old signed message, it expired, and I sent them a
new validly signed message, the end result is they would still only
have an expired cert for me in their keychain. They would have to use
the public NASA ldap directory to find a current valid cert to send me
an encrypted message.
I've been assured this was all necessary in preparation for our
upcoming use of PIV cards.
I may have garbled the wording, but the result is as I describe. My
current signature doesn't give you enough to send me an encrypted
message, but the old one (pre-Federal Bridge/NOCA) did.
On Mar 5, 2009, at 5:27 PM, Andrew Lambdin-Abraham wrote:
Could the Address Book entry be storing the certificate in the contact
itself?
Can you reply to the signed email with an encrypted one?
Can you save the sender of the new signed email as a new contact and
send encrypted email to that?
Andrew
On Mar 5, 2009, at 12:21 PM, Paul Derby wrote:
We have one user that needs to send encrypted email to another user
at Los Alamos Labs.
The Los Alamos user's certificate expired. He sent a new, signed
email resulting in the new certificate going to the keychain.
The keychain shows only the new certificate. Address Book shows the
expired certificate. Apple Mail finds the expired certificate and
won't encrypt because the cert has expired.
The old certificate does not show up anywhere in the keychain.
Is there somewhere else that Mail and Address Book check for certs?
How is it that all certs don't appeal in the keychain?
I ran keychain firstaid and no errors are found.
Any idea where to look for the invisible cert?
Is there some sort of GREP command where you can find all certs?
Spotlight doesn't find any certs.
Thanks for any help in locating this expired cert so we can remove
it from the machine and so that Mail will allow encryption to this
user again.
Paul
--
Paul Derby
Chief Enterprise Architect
supporting BioWatch Systems Program Office as IT Lead
Department of Homeland Security
email@hidden (preferred)
email@hidden
703-647-2745
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden