[Fed-Talk] Re: Help with actual & "certified" email address mismatch (CAC)
[Fed-Talk] Re: Help with actual & "certified" email address mismatch (CAC)
- Subject: [Fed-Talk] Re: Help with actual & "certified" email address mismatch (CAC)
- From: "Levine, Jason (NIH/NCI) [E]" <email@hidden>
- Date: Thu, 22 Jul 2010 15:35:23 -0400
- Acceptlanguage: en-US
- Thread-topic: Help with actual & "certified" email address mismatch (CAC)
Uri, unfortunately, your needs are completely counter to the basic rules of validation that govern signing and encryption. One of the most basic tenets of this validation is that an email address is an exact match for a certificate's embedded email address -- so in the case of signing, the email has to come from that address, and in the case of encryption, the email has to go to that address.
Without this basic tenet, the actual security of that validation falls apart, because someone else could sign an email but then forge its headers to purport to be from me, or could encrypt an email using a cert that has nothing to do with the recipient's.
I think I understand that you wish to override this tenet of the validation process by manually associating email address A with a cert that has an embedded address NOT-A... but I'd imagine that it's a rare product which allows that to happen, since it'd then diminish the security of the process, and serve as a potential attack vector (via social engineering or other hacks which would insert overrides that would seamlessly claim security when none existed). In the end, I'd ask why the gentleman's email addresses don't match -- why he has a CAC card with a different address than the one he sends from/receives to. That's really the part of this that's broken, not the UI or functionality of the mail agent at your end.
Jason
> I?m using Mac OS X 10.6.4 (all the latest patches), installed CACNG-0.96. For email I use Apple Mail 4.3 (1081) and MS Entourage 13.0.5 (100510).
>
> My Mac recognizes CAC, sees certificates on it, etc. I successfully used it to authenticate to US AF Portal.
>
> Now I need to exchange email with a gentleman (either we both use CAC cards, or only he does: I have other ? soft ? certificates on my Mac that I can and often do use for email security).
>
> His actual email address is: email@hidden
> His CAC-based cert says: email@hidden
>
> My needs are:
>
> 1. Verify signature on John.Doe?s email that comes from his real address but is signed by his CAC identity
> 2. Send email to email@hidden (his actual/real email address) ? yet have it encrypted to his CAC identity.
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden