> I've got the > ActivCard Gold for CAC installed, and the bundled Netscape PKCS11 > interface setup in Mozilla (1.5 Win32). Website access and email > signing work fine.
By "Website access", are you referring to SSL client authentication, where you have to use your smart card to authenticate to the SSL server?
> The problem I am having is decrypting email messages > sent to me. The person I am testing with has sent me (and I have sent > him) signed messages so we have each other's certificates. He can > decrypt messages I send him, but I cannot decrypt messages he sends me. > > Mozilla is not being very forthcoming with details as to why either. > The message security dialog box states: "There are unknown problems with > this encrypted message".
This is my single greatest ongoing frusteation with mozilla, and it is a legacy of the past management of PSM, the crypto GUI component of mozilla.
The NSS crypto libraries used by PSM provides literally hundreds of unique detailed error numbers, all of which are publicly documented at http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
But sadly, under past management, the PSM developers were instructed not to spend time producing error messages for each of those, so more than half of them get turned into hopelessly vague messages about something being "corrupt or invalid", or worse yet "unknown problems". Some of the errors at least output the error number, giving the user at least a chance to lookup the number on that page (URL above) and find out what is wrong. But most error codes are simply rendered useless by PSM, making problem diagnosis very difficult.
Perhaps if people would file bugzilla bugs every time they get one of those useless error messages, the PSM folks would begin to appreciate the gravity of the issue.
> I know he is using Microsoft Outlook via > Exchange on the far end, but that shouldn't matter. I have all the root > CA's installed and trusted, so I don't think that is an issue either. > Is there some way to tell Mozilla to give me debugging information when > trying to read an S/MIME message to a log file somewhere?
Unfortunately, the only way I know of to see those error codes is to use
one of NSS's command line tools to look at the message. This involves
saving the message to a file, and then processing it with various command
line tools, and is not for the faint of heart. :) That is how I analyze problem emails when mozilla won't tell me any useful error messages.
> Also, I may not have all the smart card stuff setup correctly. It is > assumed that all the crypto stuff was setup when you ordered your > machine through NMCI - which is great, if you are a government employee > and don't have a problem running outlook :)
Given all the things that you said do work, I don't think the smart card itself is the problem.
> Any help would be appreciated. Thanks!
I will try to help. You can email me directly (you'll have to demunge my email address, but it's pretty obvious what to do). Perhaps the thing that would help the most, if your correspondent is willing to do it, is for your correspondent to send an encrypted email to me, so that I can go through it in detail and see exactly what's wrong. Write me for more details.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
