Re: [Fed-Talk] Mail.mil and 'remembered certificates' (Identity Preferences)
Re: [Fed-Talk] Mail.mil and 'remembered certificates' (Identity Preferences)
- Subject: Re: [Fed-Talk] Mail.mil and 'remembered certificates' (Identity Preferences)
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 17 Oct 2013 18:41:21 +0000
- Thread-topic: [Fed-Talk] Mail.mil and 'remembered certificates' (Identity Preferences)
There's nothing about name check suppression that violates the standard.
I could quote you RFC 5750 Section 3 *again* but what would be the point?
-- T
On 10/17/13 12:49 PM, "Shawn A. Geddis" <email@hidden> wrote:
>
>
>
>On Oct 17, 2013, at 12:42 PM, Martin M. Lindner <email@hidden> wrote:
>
>Shawn,
>
>I've been using Identify Preferences for recipient email addresses for a
>long time but I've never been able to get this to work for the sender
>email address. For example, the cert has a rfc822name of
>email@hidden and the email address of the user is
>email@hidden <mailto:email@hidden>. I this a problem for users converting to
>mail.mil without getting their CAC updated. I'm I missing something?
>
>
>
>Martin,
>
>
>Well, let¹s start with a few things hereŠ.
>
>
>email@hidden < > email@hidden so when adhering to standards, this would not
>be a valid certificate to use, so OS X correctly rejects it by
>default before Mail can use it for S/MIME. I am sure this is where we
>will see a storm of gov folks jump all over me about "name suppression²
>Š..but guys/girls, that is not standards-based PKI, but rather a desire
>by some to force PKI
> to solve process issues within your organization. I have noted this a
>few time before on this list.
>
>
>
>Now, for those that feel the need to break the laws of PKI and force
>this, you can do the following:
>
>
>Create an Identity Preference for the email address as follows:
>
>
>Email Account/Address: email@hidden
>Email Cert: email@hidden
>
>
>
>
>Via Keychain Access
>
>1. Launch Keychain Access
>2. Select ³My Certificates² from the ³Category² list (lower left corner
>of window)
>3. Enter the email address (RFC822Name) in the certificate you want to use
>4. Choose to create an Identity Preference in one of two ways
>
>1. <Control>-Click on the certificate and select ³New Identity
>PreferenceŠ²
>2. Select certificate and then Keychain Access->File->New Identity
>PreferenceŠ
>
>
>5. Enter the email address you want to override (ie. email@hidden)
>6. Select the Certificate: <Certificate with email@hidden as RFC822Name for
>digital signing>
>7. Done! - Send from email@hidden and Mail will allow you to Sign the
>message
>
>
>
>Via CLI security command
>
>1. Launch Terminal
>2. Execute the following replacing content between ³<³ and ³>² with your
>relevant information
>
>1. security set-identity-preference -Z <SHA-1 HASH of Email Certificate>
>-s <ACCT you want to override>
>
>
>
>
>
>
>
>
>
>
>
>Example for me which I just did and works fineŠ.
>
>
>
>
>
>
>If you leave the remaining default settings alone you will see the
>following in the OS X sideŠ.
>It will be successfully signed, but on OS X it will flag this as ³Unable
>to verify message² with a status of relating to the certificate of ³This
>certificate is not valid (email address mismatch)².
>
>
>
>If you now want to not display the ³Unable to verify message² bannerŠ..
>Choose to accept email from this address signed with this certificate by
>clicking the checkbox as noted below with the email certificate selected
>in the Trust Chain List.
>
>And the results will look like this...
>
>
>
>
>
>
>- Shawn
>________________________________________
>Shawn Geddis
>Security Consulting Engineer
>• Apple Enterprise Division
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden