<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">NASA PIV certs are not in the directory (and do not have the necessary key usage in any case). I was assuming both ends wanted to use PIV certs, though I see I was unclear on the point.<div><br><div><div>On Mar 14, 2014, at 4:01 PM, JEFFREY COMPTON <<a href="mailto:jeffrey.compton@me.com">jeffrey.compton@me.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="auto"><div>To clarify - no one is talking about signing </div><div><br></div><div>Signing works fine. Encryption works fine - only if you have the encryption cert for the recipient already</div><div><br></div><div>The issue is the inability to retrieve the cert automatically from AD</div><div><br></div><div>as others have stated - works fine in outlook</div><div><br></div><div>Also works in mail app in 10.6.8 (at least in environment)</div><div><br></div><div><br></div><div><br></div><div><br><br>Sent from my iPhone</div><div><br>On Mar 14, 2014, at 6:16 PM, Henry B Hotz <<a href="mailto:hbhotz@oxy.edu">hbhotz@oxy.edu</a>> wrote:<br><br></div><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div>It's supposed to work, architecturally. Make sure the card is in and recognized before you start trying to sign stuff? </div><div><br></div><div>What are the key usage and extended key usage values on the cert on the card? Is encryption even allowed? (If it is, then the cert should have either the <span style="font-size: 1em; ">keyEncipherment or dataEncipherment key usage bits set. The PIV card I have only has the </span><span style="font-size: 1em; ">digitalSignature</span><span style="font-size: 1em; "> key usage bit.)</span></div><div><br></div>I can't recall if I tested it with Mail, but I do know that I could sign documents in Acrobat as long as I turned off the policy enforcement. Wasn't trying to encrypt. (The Federal Bridge cert had some inappropriate policies attached to what Acrobat downloaded. Still that makes Acrobat the only thing on the planet that acknowledges the Federal Bridge at all out of the box.)<div><br><div><div>On Mar 13, 2014, at 8:30 AM, "Rowe, Walter" <<a href="mailto:walter.rowe@nist.gov">walter.rowe@nist.gov</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div><span style="font-family: LucidaSans;">We have our PIV certs populated in AD. </span><span style="font-family: LucidaSans;">I have the OS X Smartcard Services installed and enabled on an OS X </span><span style="font-family: LucidaSans;">10.9.2</span><font face="LucidaSans"> laptop
bound to AD. I can successfully log into OS X with my PIV card. I can create new email messages with click the digital signature button to successful send digitally signed emails. I can’t click the encryption button. It is is grayed out.</font></div>
<div><font face="LucidaSans"><br>
</font></div>
<div><font face="LucidaSans">I read in Apple Mail Help that I need the personal certificate for each recipient in my Keychain to send them encrypted messages. Can Apple Mail not get those certificates from AD?</font></div>
<div><font face="LucidaSans"><br>
</font></div>
<div><font face="LucidaSans">Walter</font></div>
<div apple-content-edited="true">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div style="orphans: 2; widows: 2;">--</div>
<div style="orphans: 2; widows: 2;">Walter Rowe, Hosting Services<br>
Enterprise Systems / OISM<br>
Email: <a href="mailto:walter.rowe@nist.gov">walter.rowe@nist.gov</a><br>
Work: 301-975-2885</div>
</div>
</div>
<br>
</div>
_______________________________________________<br>SmartcardServices-Users mailing list<br><a href="mailto:SmartcardServices-Users@lists.macosforge.org">SmartcardServices-Users@lists.macosforge.org</a><br><a href="https://lists.macosforge.org/mailman/listinfo/smartcardservices-users">https://lists.macosforge.org/mailman/listinfo/smartcardservices-users</a><br></blockquote></div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><div>Personal email. <a href="mailto:hbhotz@oxy.edu">hbhotz@oxy.edu</a></div><div><br></div></span><br class="Apple-interchange-newline">
</div>
<br></div></blockquote><blockquote type="cite"><span> _______________________________________________</span><br><span>Do not post admin requests to the list. They will be ignored.</span><br><span>Fed-talk mailing list (<a href="mailto:Fed-talk@lists.apple.com">Fed-talk@lists.apple.com</a>)</span><br><span>Help/Unsubscribe/Update your Subscription:</span><br><span><a href="https://lists.apple.com/mailman/options/fed-talk/jeffrey.compton%40me.com">https://lists.apple.com/mailman/options/fed-talk/jeffrey.compton%40me.com</a></span><br><span></span><br><span>This email sent to <a href="mailto:jeffrey.compton@me.com">jeffrey.compton@me.com</a></span></blockquote></div></blockquote></div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div>Personal email. <a href="mailto:hbhotz@oxy.edu">hbhotz@oxy.edu</a></div><div><br></div></span><br class="Apple-interchange-newline">
</div>
<br></div></body></html>