RE: [Fed-Talk] Change in Cert Validation in 10.6.4?
RE: [Fed-Talk] Change in Cert Validation in 10.6.4?
- Subject: RE: [Fed-Talk] Change in Cert Validation in 10.6.4?
- From: "Miller, Timothy J." <email@hidden>
- Date: Tue, 29 Jun 2010 09:26:26 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Change in Cert Validation in 10.6.4?
You're chaining through the bridge and OS X doesn't grok nameConstraints. Since nameConstraints is marked critical (for damn good reasons :) in cross-certificates, the chain will always be invalid.
The cause of this is a combination of factors:
- The sender has the Common Policy CA cert installed in his cert store. When this happens, CAPI prefers the bridge chain over the shorter chain to the local root.
- Outlook sends the whole chain with the signed message. This is configurable in the Outlook Trust Center S/MIME pane.
- OS X appears to only attempt to validate the chain as sent, rather than build it anew. Alternately, the chain failure because of critical extensions not processed doesn't cause the validation engine to seek a different path. I'm not sure which is happening because I haven't constructed test cases.
-- Tim
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
>talk-bounces+tmiller=email@hidden] On Behalf Of Henry B.
>Hotz
>Sent: Monday, June 28, 2010 6:37 PM
>To: Apple Fed Talk
>Subject: [Fed-Talk] Change in Cert Validation in 10.6.4?
>
>I now get the following error when I receive an encrypted email from
>someone else at NASA. It doesn't prevent me from actually reading the
>email, but I don't recall getting this warning before.
>
>Looking through the cert I see a critical "name constraints" extension
>(OID 2.5.29.30) which seems the most likely suspect, but I may be wrong.
>Even if I check the "always trust" box on the FBCA, the "common policy"
>cert still fails because it has an invalid issuer.
>
>Any comments or analysis anyone?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden