On Nov 4, 2011, at 2:12 PM, Mark A. Bienz wrote: Folks,
Many of the e-mail senders I receive mail from work perfectly; e.g., they can sign e-mail and encrypt and I can see that it is a valid signature and I can decrypt their message. However some senders, even some I have been able to read and decrypt in the past give me the following error message:
Unable to very message signature
I have checked their certificates they are good. What do I need to do...or what is it they are doing wrong.
Mark,
As was noted to you by others here, Apple follows the RFC strictly, requiring the name to exactly match what's in the certificate.
It is frequently misinterpreted by well intentioned Federal IT Staff that Apple is doing the wrong thing. Apple's adherence to RFCs related to SMIME has been acknowledged by key NIST PKI resources as correct, yet Apple has been told numerous times by several Federal IT PKI Staff members that "Everyone else ignores the RFCs with respect to SMIME, so Apple should just do the same". This is not a good foundation or approach to sound software development.
In short and of course paraphrased (oversimplified) .... *IF* an RFC822 Name exists, then the Mail Agent MUST ensure the match to the sending/receiving email address for compliancy.
*IF* an RFC822 Name DOES NOT exist, then the Mail Agent can allow if the certificate passes all remaining validations.
Even worse is the case where Mail agents allow senders to use any old SMIME certificate for Signing Email messages even with a specific conflict between RFC822Name and the email address used in sending the message. using the IASE Signed Email messages as an example...
Subject: Draft MAC OSX 10.6 STIG Version 1 (UNCLASSIFIED)
Date: September 2, 2011 3:16:07 PM EDT
To: undisclosed-recipients: ;
This message was signed using the SMIME Cert from "Christopher Calma" < email@hidden> from his Smart Card.
OS X Correctly calls out that it is... "Unable to verify message signature" And by looking at the "Show Details" panel, you will see... "This certificate is not valid (email address mismatch)"
On Nov 7, 2011, at 8:37 AM, Miller, Timothy J. wrote: That's a conscious decision in the encoding scheme. Apostrophes cause problems with lots of software, and there's no escaping sequence that's universally accepted. It's more robust to eschew the apostrophe.
Special Characters / Double-Byte Characters ==> Unicode Many Mac OS X applications support Unicode, a single, world-wide character set that works with most of the world's languages. The advantages of using Unicode include easy interchange of data with users of other operating systems, and not needing to know which font to use to display text in other languages correctly.
-Mac OS X: How to type Unicode characters, including Synbol or Zapf Dingbat fonts
- Mac Help (OS X Lion): Including characters and symbols in messages
- Mac OS X 10.7 Help: About using other languages on your computer
I hope this helps clear things up.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
|