Re: [Fed-Talk] PKI SIGNED E-MAIL
Re: [Fed-Talk] PKI SIGNED E-MAIL
- Subject: Re: [Fed-Talk] PKI SIGNED E-MAIL
- From: "Miller, Timothy J." <email@hidden>
- Date: Mon, 07 Nov 2011 19:05:04 +0000
- Thread-topic: [Fed-Talk] PKI SIGNED E-MAIL
It may be literally correct, but Apple's implementation violates the
Robustness Principle:
"Be liberal in what you accept, and conservative in what you send."
In this case, Apple should accept and validate S/MIME with case-insentive
local-part matching. Refusing to *emit* with a case mismatch in the
local-part conforms to the principle above, and can remain. This would
still be annoying, but since this is (ostensibly) under the user's control
is less of a problem.
-- T
On 11/7/11 12:08 PM, "Shawn Geddis" <email@hidden> wrote:
>On Nov 4, 2011, at 2:12 PM, Mark A. Bienz wrote:
>
>Folks,
>
>Many of the e-mail senders I receive mail from work perfectly; e.g., they
>can sign e-mail and encrypt and I can see that it is a valid signature
>and I can decrypt their message. However some senders, even some I have
>been able to read and decrypt in the past give me the following error
>message:
>
>Unable to very message signature
>
>I have checked their certificates they are good. What do I need to
>do...or what is it they are doing wrong.
>
>
>
>
>
>Mark,
>
>As was noted to you by others here, Apple follows the RFC strictly,
>requiring the name to exactly match what's in the certificate.
>
>It is frequently misinterpreted by well intentioned Federal IT Staff that
>Apple is doing the wrong thing. Apple's adherence to RFCs related to
>SMIME has been acknowledged by key NIST PKI resources as correct, yet
>Apple has been told numerous times by several Federal IT PKI Staff
>members that "Everyone else ignores the RFCs with respect to SMIME, so
>Apple should just do the same". This is not a good foundation or
>approach to sound software development.
>
>In short and of course paraphrased (oversimplified) ....
>*IF* an RFC822 Name exists, then the Mail Agent MUST ensure the match to
>the sending/receiving email address for compliancy.
> "email@hidden" DOES NOT Equal "email@hidden"
>
>*IF* an RFC822 Name DOES NOT exist, then the Mail Agent can allow if the
>certificate passes all remaining validations.
>
>Even worse is the case where Mail agents allow senders to use any old
>SMIME certificate for Signing Email messages even with a specific
>conflict between RFC822Name and the email address used in sending the
>message. using the IASE Signed Email messages as an example...
>
>
>
>From: IASE <email@hidden>
>
>Subject: Draft MAC OSX 10.6 STIG Version 1 (UNCLASSIFIED)
>
>Date: September 2, 2011 3:16:07 PM EDT
>
>To: undisclosed-recipients: ;
>
>
>
>
>This message was signed using the SMIME Cert from "Christopher Calma"
><email@hidden> from his Smart Card.
>
>OS X Correctly calls out that it is...
> "Unable to verify message signature"
>
> And by looking at the "Show Details" panel, you will see...
>
> "This certificate is not valid (email address mismatch)"
>
>
>
>
>
>On Nov 7, 2011, at 8:37 AM, Miller, Timothy J. wrote:
>
>That's a conscious decision in the encoding scheme. Apostrophes cause
>problems with lots of software, and there's no escaping sequence that's
>universally accepted. It's more robust to eschew the apostrophe.
>
>
>
>
>Special Characters / Double-Byte Characters ==> Unicode
>
>Many Mac OS X applications support Unicode, a single, world-wide
>character set that works with most of the world's languages. The
>advantages of using Unicode include easy interchange of data with users
>of other operating systems, and not needing to know which font to use to
>display text in other languages correctly.
>
>
>
>-Mac OS X: How to type Unicode characters, including Synbol or Zapf
>Dingbat fonts
> http://support.apple.com/kb/HT1518
>
>- Mac Help (OS X Lion): Including characters and symbols in messages
> http://docs.info.apple.com/article.html?path=Mail/4.0/en/10001.html
>
>- Mac OS X 10.7 Help: About using other languages on your computer
> http://docs.info.apple.com/article.html?path=Mac/10.7/en/mchlp2267.html
>
>
>I hope this helps clear things up.
>
>- Shawn
>________________________________________
>Shawn Geddis
>Security Consulting Engineer
>Apple Enterprise Division
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden