Re: [Fed-Talk] RE: DoD ECA Certificates - Hardware vs Software with the Mac
Re: [Fed-Talk] RE: DoD ECA Certificates - Hardware vs Software with the Mac
- Subject: Re: [Fed-Talk] RE: DoD ECA Certificates - Hardware vs Software with the Mac
- From: "Martin M. Lindner" <email@hidden>
- Date: Mon, 10 May 2010 14:22:54 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] RE: DoD ECA Certificates - Hardware vs Software with the Mac
Shawn,
Thanks for the response. Yes, I understand your comments and I've been
there. My ECA Smartcard is issued from ORC HW 3. There are 2 certs on the
card. <Name>.ID and <Name>.Encrypt. Both have the same rfc822 email address.
In the case of Apple mail it picks the first cert with the correct rfc822
email address regardless of the key usage. That's what appears to be the
real problem with Apple mail. It needs to be key usage aware.
Can't remember the details of the Entourage problem. Need to go back and
check.
Marty
--
Martin Lindner
Principal Engineer
Software Engineering Institute
CERT Coordination Center
Carnegie Mellon University
Office: +1 412 268-3107
Email: email@hidden
> From: "Shawn A. Geddis" <email@hidden>
> Date: Mon, 10 May 2010 10:41:47 -0400
> To: Martin Lindner <email@hidden>
> Cc: Fed Talk <email@hidden>
> Subject: Re: [Fed-Talk] RE: DoD ECA Certificates - Hardware vs Software with
> the Mac
>
> On May 10, 2010, at 10:24 AM, Martin M. Lindner wrote:
>> I have a ECA Smartcard from ORC and I'm not using any special middleware.
>>
>>> From the OS point of view everything works well.
>>
>>> From an Email client point of view there are some issues. Unlike a CAC,
>> which has 3 certs, the ECA Smartcard only has 2. It appears that Apple Mail
>> and Entourage select the wrong certs when selecting between signing and
>> encrypting. So, using my ECA Smartcard doesn't work well with mail.
>
> Marty,
>
> Appears there may be some confusion with S/MIME and the use with respect to
> Mail.app and Entourage....
>
>
> Apple Mail
> ---------------
> Mail _automatically selects_ the first *valid* Digital Signing Cert for the
> account you are sending from. Keep in mind that one of the key problems
> people face is that they are not aware that one of the requirements for a
> Digital Signing Cert to be valid for your account is that *IF* an email
> address (RFC822Name) is included within the Cert, *everything* to the left of
> the '@' symbol is case-sensitive.
>
> MS Entourage (mail)
> ----------------------------
> You _must select_ which certificate to use for signing and encrypting email
> messages. Unless you select/set this up, you will be unable to Sign/Encrypt
> email.
>
>
> -Shawn
>
> __________________________________________________
> Shawn Geddis
> email@hidden
> Security Consulting Engineer email@hidden
>
> MacOSForge Smart Card Services Project Lead:
> Web: http://smartcardservices.macosforge.org/
> Lists: http://lists.macosforge.org/mailman/listinfo
> __________________________________________________
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden