[Fed-Talk] Re: Unable to send encrypted email in Snow Leopard
[Fed-Talk] Re: Unable to send encrypted email in Snow Leopard
- Subject: [Fed-Talk] Re: Unable to send encrypted email in Snow Leopard
- From: Paul Derby <email@hidden>
- Date: Wed, 6 Jan 2010 16:44:15 -0500
I just filed the following BUG report with Apple, #7515516:
06-Jan-2010 04:30 PM Paul Derby:
Summary: MAIL always uses x.509 certs by first matching email address then using the first non-expired cert stored on the sending machine without checking key usage. If two certs are present, the first with key usage of "Digital Signature" and the second key with key usage of "Key Encipherment" when encryption is selected in MAIL, Mail should use the second cert to perform the encryption. Instead, MAIL is using the first key which does not allow encryption of the email.
Steps to Reproduce: Person A sends Person B a signed message resulting in Person A's signature key being placed in KeyChain as the first cert. Person A sends Person B his encryption certificate containing his public encryption key. Person B double clicks on the attachment, placing the cert on Person B's keychain as the second cert. Person B composes an email to Person A and clicks on the lock in MAIL to encrypt the message. Person B clicks on the SEND button in MAIL. Mail aborts saying the message cannot be sent.
Expected Results: OS X should provide MAIL knowledge of the key usage of each cert. When an email address matches, the key usage should determine which certificate is used for encryption and which certificate is used for a signature, allowing email to be sent using the appropriate certificate based on key usage contained in the certificate.
Actual Results: MAIL is matching with the first installed, non-expired key ignoring the key usage in the certificate and allowing the user to select encryption when the key usage is signature. When the SEND button is clicked, OS X blocks the sending of the email and reporting a problem with the certificate. This is extremely confusing to the end user, since the two ECMA compliant certificates are present, one for signing, the other for encryption. Mail should use the correct matching certificate based on key usage, not on installation order.
Regression:
Notes: This has been a long term problem in both Leopard and Snow Leopard. It really needs to be fixed as more and more organizations are using ECMA compliant certificates that have separate signature and encryption certificates for each individual.
-- Paul Derby Chief Enterprise Architect supporting BioWatch Systems Program Office as IT Lead Department of Homeland Security 703-647-2745
Date: January 5, 2010 4:31:55 PM EST
Subject: [Fed-Talk] Unable to send encrypted email in Snow Leopars
I have an ORC ECA cert and am having zero success encrypting email to other users with 10.6.2. The problem manifests itself in two different ways in Mail with 10.6.2:
*** CAC users ***
The received signed message shows a yellow bar that says "Unable to verify message signature". I click on "Show Details" and get a message saying "Unable to verify message signature: Mail was unable to verify the authenticity of the S/MIME certificate provided by 'email@hidden'. Messages signed by this user may be coming from a different source. I then click "Show Certificate" and get an unchecked box next to "Messages from 'FRED.FOOBAR...' are valid if signed by 'FOOBAR.FRED.F.1234567890'". I check the box and click "OK". The yellow bar and warning don't go away. I repeat the above process and find that the check box is unchecked. Mail doesn't remember the setting! This happens with every CAC-based cert. When I send to CAC users, I get the option to sign messages but not encrypt them. I have verified that the certs are imported into my keychain and are vaild and trusted.
*** ECA users (e.g., VeriSign) ***
Mail accepts the certificate as valid; there's no yellow warning as with CAC users. I get the option to both sign and encrypt messages to users. But when I click "Send", I get a pop-up that says "Alert: An error occurred while trying to encrypt your messages. Verify that you have valid certificates in your keychain for all of the recipients." I also get this message when I try to send encrypted email to myself. I have verified that the certs are imported into my keychain and are valid and trusted.
I've tried deleting all the certs from my login keychain and reinstalling them. This didn't help.
Thanks,
Andreas
Andreas Yankopolus, Ph.D. Senior Systems Engineer Scientific Research Corporation 770-989-9474
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden