Re: [Fed-Talk] CAC-Issues with Apple Mail since macOS 10.12.3 (Sierra)
Re: [Fed-Talk] CAC-Issues with Apple Mail since macOS 10.12.3 (Sierra)
- Subject: Re: [Fed-Talk] CAC-Issues with Apple Mail since macOS 10.12.3 (Sierra)
- From: "Neely, Lee" <email@hidden>
- Date: Mon, 24 Apr 2017 23:39:30 +0000
- Thread-topic: [Fed-Talk] CAC-Issues with Apple Mail since macOS 10.12.3 (Sierra)
There is one more variant in the email match that I wish were changed.
Case sensitive matching for PKI is a real problem. Apple implemented case sensitive matching for the left hand side. Which the RFC permits but advises against.
This means if my certificate says email@hidden sending to/from email@hidden is a fail.
More common is camel case email@hidden or email@hidden
I also run into the contractor issued bob.jones@blah who sends email from bjones@blah -- is also a nuisance- I push them to get a certificate issued which includes their prevalent email. (Multi-SAN)
Lee
> On Apr 24, 2017, at 16:17, Blumenthal, Uri - 0553 - MITLL <email@hidden> wrote:
>
> On 4/24/17, 6:46 PM, "Fed-talk on behalf of Levine, Jason (NIH/NCI) [E]" <fed-talk-bounces+uri=email@hidden on behalf of email@hidden> wrote:
>
> I apologize for what might be a dumb question, but why would ANY email client
> successfully, or even want to, decrypt an email where the From: address is
> different from the address in the signing/encrypting certificate? This seems wrong on many levels.
>
> Yes, it is not an outstandingly impressive question. And it does reveal, er, some lack of exposure.
>
> Have you been dealing a lot with CAC and other government- or big-organization-issued tokens? Where the reality is that the email encoded there just does not match the actual real email address the email is sent from?
>
> I’ve been experiencing this for several years. Strictly speaking, it shouldn’t be like this. But it is. The choice is between being able to communicate, and being right. Take your pick.
>
>
>
>> On Apr 24, 2017, at 5:37 PM, Basil Decina <email@hidden> wrote:
>>
>> Forgive the blast but don’t know if anyone has hit the following…
>>
>> 1) Apple Mail under macOS Sierra 10.12.4 (and previously 10.12.3) can’t easily open CAC-signed (or encrypted) e-mail if the sender (“From:”) address is different than the address that signed/encrypted the message (the address in the CAC PKI cert). It literally takes 30 minutes (I timed it) to view/open such messages. If I drag the message to Outlook under Windows (under VMware), it opens quickly. If I try to drag it to Outlook under macOS, it hangs Outlook.
>>
>> This is problematic with all new messages but also in re-building/re-indexing existing messages. (It took me over 400 hours to re-index my mailboxes — ouch!)
>>
>> I removed all my DoD Root CA certs and re-installed them — no luck.
>>
>> 2) Nested mailboxes are now “disappearing” from list. They are still in "~/Library/Mail/V4” but are no longer listed inside mail.app — they disappeared over a period of days/weeks.
>>
>> I think the two issues are related.
>>
>> Has anyone hit anything similar ?
>>
>> Thanks, Basil
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden