The evidence I can offer to this conversation is that certificates hosted in the userCertificate attribute in AD are not seen (found) by Apple Mail w/ OS X 10.9.2 joined natively to AD. If the same recipient’s cert is in my local Keychain, the cert is seen
(found) by Apple Mail. No change in email address case with either attempt, and the email address (local-part and domain) match the certificate exactly including case. The RFC 822 name (email address) in the PIV certs in my local keychain are all lower case.
Don’t know if this helps others.
Please recall that Jeffrey Compton reported the issue to Apple Enterprise Support who confirmed the problem.
On Mar 13, 2014, at 4:02 PM, JEFFREY COMPTON < email@hidden> wrote:
I recently submitted this issue to enterprise support
They were able to recreate our scenario which is - works in 10.6.8 but not any OS after that
Product engineering has "acknowledged" and investigating a resolution for future release
Walter
--
Walter Rowe, Hosting Services
Enterprise Systems / OISM
Email: email@hidden
Work: 301-975-2885
On Mar 24, 2014, at 12:12 PM, Miller, Timothy J. < email@hidden> wrote:
S/MIME envelop and certificate handling reference RF 2822 for address matching rules. RFC 2822 describes email addresses in two parts, the local-part and the domain. Matching on the domain is referred to DNS RFCs which uses explicit
case-insensitive rules. RFC 2822 leaves local-part matching completely unspecified.
MTAs have generally been ambivalent on local-part matching rules, and some allow case sensitivity to be configured. The common practice (in line with the Robustness Principle) has been to use case-insensitive matching for local-part, but there remains considerable
variance.
-- T
-----Original Message-----
From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
bounces+tmiller=email@hidden] On Behalf Of William Cerniuk
Sent: Monday, March 24, 2014 8:39 AM
To: Carib Mendez
Cc: Levine, Jason (NIH/NCI) [E]; Fed Talk
Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
Thought case sensitivity of cert email identities was the standard. Technically
"A" is not "a".
We have this issue in our org as well. Isn't best practice to use all lower case
for links and email?
--
Best Regards,
Wm. Cerniuk
ph: 703.594.7616
On Mar 24, 2014, at 8:58, Carib Mendez <email@hidden> wrote:
If someone already mentioned this I apologize…
When encrypting mail, Apple Mail requires that the email address of
the recipient EXACTLY matches the email address in the certificate, including
CASE. We have a huge issue in that our security office issues CAC with the
email address all lowercase (as it should be) but our Help Desk creates the
email account mixed case.
Try creating a blank email and typing in the address exactly as it
appears on the Cert and see if that works.
On Mar 14, 2014, at 10:08 AM, "Levine, Jason (NIH/NCI) [E]"
<email@hidden> wrote:
With all these folks who are reporting that it works for them, I
buckled down to do some more testing this morning, and damn if I just can’t
get it to work at ALL. I’ve tried on 10.9.2 and 10.9.redacted; I have PKard 1.5 as
my underlying PIV-enabling layer, and I definitely have the relevant Keychain
Access checkbox checked that is supposed to search the directory for certs.
But the only recipients I’m able to encrypt email to in Mail.app are those for
whom I already have certs in my keychain. (And I know my PIV is working fine
otherwise, because (a) I’m able to SIGN email just fine, and (b) I can use it in
other places, like decrypting email and signing into cert-enabled websites.)
Is there some way I can further debug what’s happening?
Jason
On Mar 13, 2014, at 3:50 PM, William Cerniuk
<email@hidden<mailto:email@hidden > > wrote:
A couple of things.
1 - Apple Mail is a little slow on the uptake. It can take a long
time to recognize that you have the smart card installed
2 - Relaunching Apple Mail will frequently encourage it to look
for the certs and find them
3 - the installer, as it is, puts all the files in the system and they
conflict with one another (need to trim)
I will send you the installer I built to get around the problem in
a moment if you are willing to test. Otherwise you can hand trim if you like.
--
R/Wm.
703.594.7616
On 13-Mar-2014, at 15:18,
email@hidden<mailto:email@hidden > wrote:
We have been having similar discussions at work with regards
to moving OSx users to S/MIME-encrypted enterprise email. Any help on this
would be greatly appreciated.
Hemen H. Mehta
DPC
US Senate
On Thu, Mar 13, 2014 at 3:12 PM, Levine, Jason (NIH/NCI) [E]
<email@hidden<mailto:email@hidden > > wrote:
Walter, I *literally* was about to post this same question —
I've struggled over the past few years to figure out if there's a way to get this
to work properly. I'm now faced with an absolute, ironclad mandate to move a
set of OS X users over to S/MIME-encrypted enterprise email in the next
month, and this one issue is literally my biggest obstacle.
Any advice would be appreciated!
Jason Levine
Center for Cancer Research, National Cancer Institute
> We have our PIV certs populated in AD. I have the OS X
Smartcard Services installed and enabled on an OS X 10.9.2 laptop bound to
AD. I can successfully log into OS X with my PIV card. I can create new email
messages with click the digital signature button to successful send digitally
signed emails. I can’t click the encryption button. It is is grayed out.
>
> I read in Apple Mail Help that I need the personal
certificate for each recipient in my Keychain to send them encrypted
messages. Can Apple Mail not get those certificates from AD?
>
> Walter
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden<mailto:Fed-
email@hidden >)
Help/Unsubscribe/Update your Subscription:
talk/email@hidden
This email sent to
email@hidden<mailto:email@hidden >
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden<mailto:Fed-
email@hidden >)
Help/Unsubscribe/Update your Subscription:
talk/email@hidden
This email sent to
email@hidden<mailto:email@hidden >
—
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
talk/email@hidden
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|