Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 14 Mar 2014 13:00:32 +0000
- Thread-topic: [Fed-Talk] Encrypted Apple Mail w/ PIV
It's more complex than that.
There are two attributes: userCertificate and userSMIMECertificate. Different MUAs will look for either or both, and sometimes the conditions when one is preferred over the other change within a single MUA.
userCertificate is expected to be a binary certificate object (basically the cert in DER encoded form). userCertificate can obviously be populated by anyone. In some environments, this attribute is populated by the issuing CA (directly or indirectly through directory replication).
userSMIMECertificate is expected to be a signed PKCS#7 object with empty Contents in DER encoded form. This can only be populated by an application (usually the MUA) with access to the private key. In Exchange environments, this is usually be populated by the user through Outlook (in Trust Center using the "Publish to GAL" button in the Email Security group). Outlook on Mac has no equivalent I can recall. I've seen attempts to use small applications run from login scripts to semi-automate populating this attribute, but most never functioned that well and I don't recommend that approach.
Generally MUAs prefer userSMIMECertificate over userCertificate because the PKCS#7 object contains the MUA's preferred cryptographic capabilities--hash algorithm, key establishment algorithm, and symmetric algorithm--which you need to send encrypted messages to that MUA. There are conditions where userCertificate will be used instead, but they vary by MUA.
I did a series of test cases on this years ago that laid out the (apparent) rules for a couple of common MUAs, but the results are seriously outdated.
-- T
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
>bounces+tmiller=email@hidden] On Behalf Of Rowe, Walter
>Sent: Thursday, March 13, 2014 5:34 PM
>To: Apple Fed-Talk List
>Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
>
>Can someone confirm for me what attribute in AD needs to be populated with
>each user's encryption cert? Is it userCertificate? See this Microsoft KB article.
>
>
>http://support.microsoft.com/kb/2840546
>
>
>Walter
>
>--
>Walter Rowe, Hosting Services
>Enterprise Systems / OISM
>Email: email@hidden
>Work: 301-975-2885
>
>On Mar 13, 2014, at 4:57 PM, William Cerniuk <email@hidden> wrote:
>
>
> Working nicely in 10.7, 10.8 and 10.9 for me. Just sluggish.
>
> --
> R/Wm.
>
> 703.594.7616
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden