Re: [Fed-Talk] Unable to send encrypted email in Snow Leopars
Re: [Fed-Talk] Unable to send encrypted email in Snow Leopars
- Subject: Re: [Fed-Talk] Unable to send encrypted email in Snow Leopars
- From: "Timothy J. Miller" <email@hidden>
- Date: Wed, 6 Jan 2010 08:42:11 -0600
Andreas Yankopolus wrote:
The received signed message shows a yellow bar that says "Unable to verify message signature". I click on "Show Details" and get a message saying "Unable to verify message signature: Mail was unable to verify the authenticity of the S/MIME certificate provided by 'email@hidden'. Messages signed by this user may be coming from a different source. I then click "Show Certificate" and get an unchecked box next to "Messages from 'FRED.FOOBAR...' are valid if signed by 'FOOBAR.FRED.F.1234567890'". I check the box and click "OK". The yellow bar and warning don't go away. I repeat the above process and find that the check box is unchecked. Mail doesn't remember the setting! This happens with every CAC-based cert. When I send to CAC users, I get the option to sign messages but not encrypt them. I have verified that the certs are imported into my keychain and are vaild and trusted.
The warning and the inability to encrypt are the result of the email
address mismatch problem. Mail.app requires the "From:" address and the
rfc822Name in the signing cert to match, including a case-sensitive
match of the account name. There's not much you can do about this as a
recipient.
If the person you're trying to send to simply has a *case* mismatch, you
can work around this by adding the address to your address book and
changing the address to match. If the person you're sending to
literally has a different email address--not uncommon for DoD
users--there's nothing you can do.
I have complained about this problem (including bug reports) for almost
5 years now.
The failure to remember the "trust it anyway" setting is something I
vaguely recall noting but I don't think I got around to submitting a bug
report. You may want to do so.
Mail accepts the certificate as valid; there's no yellow warning as with CAC users. I get the option to both sign and encrypt messages to users. But when I click "Send", I get a pop-up that says "Alert: An error occurred while trying to encrypt your messages. Verify that you have valid certificates in your keychain for all of the recipients." I also get this message when I try to send encrypted email to myself. I have verified that the certs are imported into my keychain and are valid and trusted.
This is probably a problem with your own cert. When you send an
encrypted email, *you* are an implied recipient, so it gets encrypted
for you as well as the addressees--otherwise you wouldn't be able to
read the email in your Drafts or Sent folders.
What Mail is telling you is it can't find an email encryption cert for
*you*. This could be the result of the email address matching problem,
so check your Mail.app Accounts config and your personal entry in
Address Book to make sure your address matches what's in your cert,
including case.
If that doesn't fix it, check your ECA cert Key Usage. DoD uses
different certs for signing and encrypting, and I *think* ECA issuers do
this too, but I'm not sure. It's been awhile since I looked at the ECA
profiles and don't have them handy. If you got more than one cert from
your ECA vendor, you need them *all* (and the private keys, natch). You
may have only the digital signature cert installed, and not the key
encipherment cert.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden