Re: [Fed-Talk] PKI SIGNED E-MAIL
Re: [Fed-Talk] PKI SIGNED E-MAIL
- Subject: Re: [Fed-Talk] PKI SIGNED E-MAIL
- From: "Blumenthal, Uri - 0668 - MITLL" <email@hidden>
- Date: Mon, 07 Nov 2011 14:30:29 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] PKI SIGNED E-MAIL
A usable Mail Agent must leave the final decision in the hands of the
user. I.e. if a user decides that email sent by email@hidden and signed
by email@hidden is "kosher", the Mail agent must allow the user to
(permanently) set this exception for the given address-cert pair.
RFC is not a suicide pact. The final and ultimate goal is to interoperate,
not to demonstrate who's "holier than thou".
<rant>
For example (and side-tracking), Apple may be 10 times right in its
assessment of usefulness (or lack of) of FIPS certification for software
modules. But if Apple doesn't initiate Lion crypto FIPS certification
process FileVault 2 won't be allowed in Fed agencies, other solutions
(like WInMagic SecureDoc) would be forced, and finally when it becomes
obvious that both choices (use SecureDoc and miss out on OS security
updates, or stay current on OS patches and lack FIPS-certified FDE) are
bad users will be pushed away from Mac towards Win (mostly) and Linux
desktops. In our Lab there's already a blanket prohibition on purchasing
equipment that can run only Lion (hopefully it will be lifted). Does Apple
Care?
</rant>
--
Regards,
Uri Blumenthal
<Disclaimer - my opinions are my own, and not those of my employer>
From: Shawn Geddis <email@hidden>
Date: Mon, 7 Nov 2011 13:08:58 -0500
To: "Mark A. Bienz" <email@hidden>
Cc: Fed Talk <email@hidden>
Subject: Re: [Fed-Talk] PKI SIGNED E-MAIL
>On Nov 4, 2011, at 2:12 PM, Mark A. Bienz wrote:
>
>Folks,
>
>Many of the e-mail senders I receive mail from work perfectly; e.g., they
>can sign e-mail and encrypt and I can see that it is a valid signature
>and I can decrypt their message. However some senders, even some I have
>been able to read and decrypt in the past give me the following error
>message:
>
>Unable to very message signature
>
>I have checked their certificates they are good. What do I need to
>do...or what is it they are doing wrong.
>
>
>
>
>
>Mark,
>
>As was noted to you by others here, Apple follows the RFC strictly,
>requiring the name to exactly match what's in the certificate.
>
>It is frequently misinterpreted by well intentioned Federal IT Staff that
>Apple is doing the wrong thing. Apple's adherence to RFCs related to
>SMIME has been acknowledged by key NIST PKI resources as correct, yet
>Apple has been told numerous times by several Federal IT PKI Staff
>members that "Everyone else ignores the RFCs with respect to SMIME, so
>Apple should just do the same". This is not a good foundation or
>approach to sound software development.
>
>In short and of course paraphrased (oversimplified) ....
>*IF* an RFC822 Name exists, then the Mail Agent MUST ensure the match to
>the sending/receiving email address for compliancy.
> "email@hidden" DOES NOT Equal "email@hidden"
>
>*IF* an RFC822 Name DOES NOT exist, then the Mail Agent can allow if the
>certificate passes all remaining validations.
>
>Even worse is the case where Mail agents allow senders to use any old
>SMIME certificate for Signing Email messages even with a specific
>conflict between RFC822Name and the email address used in sending the
>message. using the IASE Signed Email messages as an example...
>
>
>
>From: IASE <email@hidden>
>
>Subject: Draft MAC OSX 10.6 STIG Version 1 (UNCLASSIFIED)
>
>Date: September 2, 2011 3:16:07 PM EDT
>
>To: undisclosed-recipients: ;
>
>
>
>
>This message was signed using the SMIME Cert from "Christopher Calma"
><email@hidden> from his Smart Card.
>
>OS X Correctly calls out that it is...
> "Unable to verify message signature"
>
> And by looking at the "Show Details" panel, you will see...
>
> "This certificate is not valid (email address mismatch)"
>
>
>
>
>
>On Nov 7, 2011, at 8:37 AM, Miller, Timothy J. wrote:
>
>That's a conscious decision in the encoding scheme. Apostrophes cause
>problems with lots of software, and there's no escaping sequence that's
>universally accepted. It's more robust to eschew the apostrophe.
>
>
>
>
>Special Characters / Double-Byte Characters ==> Unicode
>
>Many Mac OS X applications support Unicode, a single, world-wide
>character set that works with most of the world's languages. The
>advantages of using Unicode include easy interchange of data with users
>of other operating systems, and not needing to know which font to use to
>display text in other languages correctly.
>
>
>
>-Mac OS X: How to type Unicode characters, including Synbol or Zapf
>Dingbat fonts
> http://support.apple.com/kb/HT1518
>
>- Mac Help (OS X Lion): Including characters and symbols in messages
> http://docs.info.apple.com/article.html?path=Mail/4.0/en/10001.html
>
>- Mac OS X 10.7 Help: About using other languages on your computer
> http://docs.info.apple.com/article.html?path=Mac/10.7/en/mchlp2267.html
>
>
>I hope this helps clear things up.
>
>- Shawn
>________________________________________
>Shawn Geddis
>Security Consulting Engineer
>Apple Enterprise Division
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden