Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
- From: "Levine, Jason (NIH/NCI) [E]" <email@hidden>
- Date: Thu, 27 Mar 2014 21:48:42 +0000
- Thread-topic: Encrypted Apple Mail w/ PIV
Shawn, regarding the below: there have been (to my memory) three people who have reported in this thread that Mail.app cert lookup in the GAL is broken in 10.9 (and 10.8?) even when satisfying the exact prerequisites you mention, and that this is an issue which has been acknowledged by Apple without solution or workaround. That's definitely what I'm seeing -- a properly-bound 10.9.2 Mac with the proper Keychain Access pref checked which is not finding the certs for users in the GAL/AD, period. (And yes, I know it's unrelated to PIV card functionality per se, although in my experience Mail.app won't display the signing and encryption options unless it finds a valid and matching signing cert, and for me that's my PIV.)
I'm not one of the people who has open bug reports in with Apple on this, so I don't know Radar numbers or status on it... but if your understanding is that cert lookup is working, either our experience needs to be properly debugged/troubleshot or your understanding isn't current.
Jason Levine
National Cancer Institute
> On Mar 27, 2014, at 4:52 PM, "Shawn A. Geddis" <email@hidden> wrote:
>
> Apple Mail can pull S/MIME certificates from the GAL for encrypting messages to recipients *IF* you have the Mac bound to AD and you have Keychain Access -> Preferences -> “Search directory services for certificates" checked. There are and always have been some other key issues that seem to trip folks up here on why they cannot sign their own messages and cannot encrypt a message to someone. Keep in mind that Mail will request and use only a valid certificate.
>
> Issues that cause failures in Singing & Encrypting Mail
> Trust failures
> Failed acquisition of the Trust Chain
> Failed Trust of any of the certificates in the Chain
> Expiration / Revocation of the certificate
> Email Address / RFC822Name Mismatch
> Case-sensitive for local-part: email@hidden ≠ email@hidden
> Mismatched email address: email@hidden ≠ email@hidden
> The use of a Smart Card to digitally sign your email messages has no connection to whether you can encrypt a message to someone. The above conditions hold true for both signing the message as well as encrypting the message to the recipient(s).
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden