Re: [Fed-Talk] mail uses old x.509 certificate
Re: [Fed-Talk] mail uses old x.509 certificate
- Subject: Re: [Fed-Talk] mail uses old x.509 certificate
- From: "Miller, Timothy J." <email@hidden>
- Date: Tue, 10 Mar 2009 17:59:15 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] mail uses old x.509 certificate
On 3/9/09 1:42 PM, "Paul Derby" <email@hidden> wrote:
> For some reason they issue to certs to each person, one for signing,
> one for encryption.
FYI, they do this do this for very good reasons; encryption keys are often
escrowed. Escrowing *signature* keys is a big no-no. Key usage separation
is also required by the Federal PKI CPS, so I'm willing to bet the reason
it's different for this lab is that they're farther along the HSPD-12 path.
> OS X does not thoroughly validate a cert for "cert usage". OS X tells ADDRESS
> BOOK that a cert is "valid" but if the cert is a "signing cert" and you don't
> have an "encryption" cert OS X leads you to believe you have a legitimate cert
> from the information displayed in Key Chain Access and Address Book. However,
> Apple Mail won't encrypt the message and you don't get any indication from OS
> X or Apple Mail why you cannot encrypt. In fact KEYCHAIN ACCESS and ADDRESS
> BOOK tell you the cert is "valid". This is extremely confusing to the end
> users. At a minimum, Key Chain Access and Address Book should show not only
> the validity of the cert, but also the usage of the cert (encryption, signing,
> etc.) End users should not be expected to expand the entire cert and read
> through the cert to see if it is a signing cert or an encryption cert or a
> cert that can do both.
That's a good catch and betrays the designer's unfamiliarity with
operational PKIs.
> When an application such as APPLE MAIL or Key CHAIN ACCESS ask OS X for a cert
> for an individual, only one cert is identified by the OS and passed back to
> the application. If multiple certs are stored in the OS, the OS should return
> a list of certs with information such as expired or valid, and valid cert use.
Returning one cert isn't a problem *if* (a) the cert returned has the right
key usage, and (b) the cert returned is the *most recently issued*. That's
actually documented in a standard somewhere, but I'll be damned if I can
remember where. :)
> However, this is not always consistent. We have seen instances when OS X
> returns an expired cert that was added to the key chain after an unexpired
> cert.
Most likely they're coming out in an order determined by internal data
structures or storage.
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden