Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- From: "Miller, Timothy J." <email@hidden>
- Date: Mon, 24 Mar 2014 16:12:09 +0000
- Thread-topic: [Fed-Talk] Encrypted Apple Mail w/ PIV
S/MIME envelop and certificate handling reference RF 2822 for address matching rules. RFC 2822 describes email addresses in two parts, the local-part and the domain. Matching on the domain is referred to DNS RFCs which uses explicit case-insensitive rules. RFC 2822 leaves local-part matching completely unspecified.
MTAs have generally been ambivalent on local-part matching rules, and some allow case sensitivity to be configured. The common practice (in line with the Robustness Principle) has been to use case-insensitive matching for local-part, but there remains considerable variance.
-- T
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
>bounces+tmiller=email@hidden] On Behalf Of William Cerniuk
>Sent: Monday, March 24, 2014 8:39 AM
>To: Carib Mendez
>Cc: Levine, Jason (NIH/NCI) [E]; Fed Talk
>Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
>
>Thought case sensitivity of cert email identities was the standard. Technically
>"A" is not "a".
>
>We have this issue in our org as well. Isn't best practice to use all lower case
>for links and email?
>
>--
>Best Regards,
>Wm. Cerniuk
>
>ph: 703.594.7616
>
>
>On Mar 24, 2014, at 8:58, Carib Mendez <email@hidden> wrote:
>
>
>
> If someone already mentioned this I apologize…
>
> When encrypting mail, Apple Mail requires that the email address of
>the recipient EXACTLY matches the email address in the certificate, including
>CASE. We have a huge issue in that our security office issues CAC with the
>email address all lowercase (as it should be) but our Help Desk creates the
>email account mixed case.
>
> Try creating a blank email and typing in the address exactly as it
>appears on the Cert and see if that works.
>
> On Mar 14, 2014, at 10:08 AM, "Levine, Jason (NIH/NCI) [E]"
><email@hidden> wrote:
>
>
>
> With all these folks who are reporting that it works for them, I
>buckled down to do some more testing this morning, and damn if I just can’t
>get it to work at ALL. I’ve tried on 10.9.2 and 10.9.redacted; I have PKard 1.5 as
>my underlying PIV-enabling layer, and I definitely have the relevant Keychain
>Access checkbox checked that is supposed to search the directory for certs.
>But the only recipients I’m able to encrypt email to in Mail.app are those for
>whom I already have certs in my keychain. (And I know my PIV is working fine
>otherwise, because (a) I’m able to SIGN email just fine, and (b) I can use it in
>other places, like decrypting email and signing into cert-enabled websites.)
>
> Is there some way I can further debug what’s happening?
>
> Jason
>
>
> On Mar 13, 2014, at 3:50 PM, William Cerniuk
><email@hidden<mailto:email@hidden > > wrote:
>
> A couple of things.
>
> 1 - Apple Mail is a little slow on the uptake. It can take a long
>time to recognize that you have the smart card installed
> 2 - Relaunching Apple Mail will frequently encourage it to look
>for the certs and find them
> 3 - the installer, as it is, puts all the files in the system and they
>conflict with one another (need to trim)
>
> I will send you the installer I built to get around the problem in
>a moment if you are willing to test. Otherwise you can hand trim if you like.
>
>
> --
> R/Wm.
>
> 703.594.7616
>
>
>
>
> On 13-Mar-2014, at 15:18,
>email@hidden<mailto:email@hidden > wrote:
>
> We have been having similar discussions at work with regards
>to moving OSx users to S/MIME-encrypted enterprise email. Any help on this
>would be greatly appreciated.
>
> Hemen H. Mehta
> DPC
> US Senate
>
>
>
> On Thu, Mar 13, 2014 at 3:12 PM, Levine, Jason (NIH/NCI) [E]
><email@hidden<mailto:email@hidden > > wrote:
> Walter, I *literally* was about to post this same question —
>I've struggled over the past few years to figure out if there's a way to get this
>to work properly. I'm now faced with an absolute, ironclad mandate to move a
>set of OS X users over to S/MIME-encrypted enterprise email in the next
>month, and this one issue is literally my biggest obstacle.
>
> Any advice would be appreciated!
>
> Jason Levine
> Center for Cancer Research, National Cancer Institute
>
>
> > We have our PIV certs populated in AD. I have the OS X
>Smartcard Services installed and enabled on an OS X 10.9.2 laptop bound to
>AD. I can successfully log into OS X with my PIV card. I can create new email
>messages with click the digital signature button to successful send digitally
>signed emails. I can’t click the encryption button. It is is grayed out.
> >
> > I read in Apple Mail Help that I need the personal
>certificate for each recipient in my Keychain to send them encrypted
>messages. Can Apple Mail not get those certificates from AD?
> >
> > Walter
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden<mailto:Fed-
>email@hidden >)
> Help/Unsubscribe/Update your Subscription:
>talk/email@hidden
>
> This email sent to
>email@hidden<mailto:email@hidden >
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden<mailto:Fed-
>email@hidden >)
> Help/Unsubscribe/Update your Subscription:
>talk/email@hidden
>
> This email sent to
>email@hidden<mailto:email@hidden >
>
>
>
>
>
> —
>
>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>talk/email@hidden
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden