Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- From: "Walls, Bryan K. (MSFC-EO50)" <email@hidden>
- Date: Wed, 26 Mar 2014 20:18:29 +0000
- Thread-topic: [Fed-Talk] Encrypted Apple Mail w/ PIV
What would be the process for modifying RFC 2822? I really wish I'd started down that path about 8 years ago when this first started biting me with S/MIME and Eudora.
My take is that, while it was a valid point of discussion in back when email was getting started. I remember when the "local-part" of an email could be a string that was a full address in some other email system.
But, today, clearly case insensitivity has won. No one would expect that if they signed up for email@hidden, that email sent sent to email@hidden would be going to a completely different person. Users would be outraged. And returning that email@hidden is an invalid address wouldn't be better. All typical users would consider that behavior broken.
Seems to me the RFC should be changed. The tricky part of the discussion would be non-English character sets and what case insensitivity means with that taken into account. But changing the RFC is probably the only way encryption is ever going to work from Macs in my (Microsoft dominant) environment.
Bryan Walls
email@hidden
256-544-3311
On Mar 24, 2014, at 11:12 AM, "Miller, Timothy J." <email@hidden> wrote:
> S/MIME envelop and certificate handling reference RF 2822 for address matching rules. RFC 2822 describes email addresses in two parts, the local-part and the domain. Matching on the domain is referred to DNS RFCs which uses explicit case-insensitive rules. RFC 2822 leaves local-part matching completely unspecified.
>
> MTAs have generally been ambivalent on local-part matching rules, and some allow case sensitivity to be configured. The common practice (in line with the Robustness Principle) has been to use case-insensitive matching for local-part, but there remains considerable variance.
>
> -- T
>
>> -----Original Message-----
>> From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
>> bounces+tmiller=email@hidden] On Behalf Of William Cerniuk
>> Sent: Monday, March 24, 2014 8:39 AM
>> To: Carib Mendez
>> Cc: Levine, Jason (NIH/NCI) [E]; Fed Talk
>> Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
>>
>> Thought case sensitivity of cert email identities was the standard. Technically
>> "A" is not "a".
>>
>> We have this issue in our org as well. Isn't best practice to use all lower case
>> for links and email?
>>
>> --
>> Best Regards,
>> Wm. Cerniuk
>>
>> ph: 703.594.7616
>>
>>
>> On Mar 24, 2014, at 8:58, Carib Mendez <email@hidden> wrote:
>>
>>
>>
>> If someone already mentioned this I apologize…
>>
>> When encrypting mail, Apple Mail requires that the email address of
>> the recipient EXACTLY matches the email address in the certificate, including
>> CASE. We have a huge issue in that our security office issues CAC with the
>> email address all lowercase (as it should be) but our Help Desk creates the
>> email account mixed case.
>>
>> Try creating a blank email and typing in the address exactly as it
>> appears on the Cert and see if that works.
>>
>> On Mar 14, 2014, at 10:08 AM, "Levine, Jason (NIH/NCI) [E]"
>> <email@hidden> wrote:
>>
>>
>>
>> With all these folks who are reporting that it works for them, I
>> buckled down to do some more testing this morning, and damn if I just can’t
>> get it to work at ALL. I’ve tried on 10.9.2 and 10.9.redacted; I have PKard 1.5 as
>> my underlying PIV-enabling layer, and I definitely have the relevant Keychain
>> Access checkbox checked that is supposed to search the directory for certs.
>> But the only recipients I’m able to encrypt email to in Mail.app are those for
>> whom I already have certs in my keychain. (And I know my PIV is working fine
>> otherwise, because (a) I’m able to SIGN email just fine, and (b) I can use it in
>> other places, like decrypting email and signing into cert-enabled websites.)
>>
>> Is there some way I can further debug what’s happening?
>>
>> Jason
>>
>>
>> On Mar 13, 2014, at 3:50 PM, William Cerniuk
>> <email@hidden<mailto:email@hidden > > wrote:
>>
>> A couple of things.
>>
>> 1 - Apple Mail is a little slow on the uptake. It can take a long
>> time to recognize that you have the smart card installed
>> 2 - Relaunching Apple Mail will frequently encourage it to look
>> for the certs and find them
>> 3 - the installer, as it is, puts all the files in the system and they
>> conflict with one another (need to trim)
>>
>> I will send you the installer I built to get around the problem in
>> a moment if you are willing to test. Otherwise you can hand trim if you like.
>>
>>
>> --
>> R/Wm.
>>
>> 703.594.7616
>>
>>
>>
>>
>> On 13-Mar-2014, at 15:18,
>> email@hidden<mailto:email@hidden > wrote:
>>
>> We have been having similar discussions at work with regards
>> to moving OSx users to S/MIME-encrypted enterprise email. Any help on this
>> would be greatly appreciated.
>>
>> Hemen H. Mehta
>> DPC
>> US Senate
>>
>>
>>
>> On Thu, Mar 13, 2014 at 3:12 PM, Levine, Jason (NIH/NCI) [E]
>> <email@hidden<mailto:email@hidden > > wrote:
>> Walter, I *literally* was about to post this same question —
>> I've struggled over the past few years to figure out if there's a way to get this
>> to work properly. I'm now faced with an absolute, ironclad mandate to move a
>> set of OS X users over to S/MIME-encrypted enterprise email in the next
>> month, and this one issue is literally my biggest obstacle.
>>
>> Any advice would be appreciated!
>>
>> Jason Levine
>> Center for Cancer Research, National Cancer Institute
>>
>>
>> > We have our PIV certs populated in AD. I have the OS X
>> Smartcard Services installed and enabled on an OS X 10.9.2 laptop bound to
>> AD. I can successfully log into OS X with my PIV card. I can create new email
>> messages with click the digital signature button to successful send digitally
>> signed emails. I can’t click the encryption button. It is is grayed out.
>> >
>> > I read in Apple Mail Help that I need the personal
>> certificate for each recipient in my Keychain to send them encrypted
>> messages. Can Apple Mail not get those certificates from AD?
>> >
>> > Walter
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden<mailto:Fed-
>> email@hidden >)
>> Help/Unsubscribe/Update your Subscription:
>> talk/email@hidden
>>
>> This email sent to
>> email@hidden<mailto:email@hidden >
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden<mailto:Fed-
>> email@hidden >)
>> Help/Unsubscribe/Update your Subscription:
>> talk/email@hidden
>>
>> This email sent to
>> email@hidden<mailto:email@hidden >
>>
>>
>>
>>
>>
>> —
>>
>>
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> talk/email@hidden
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden