There is obviously a change in how Apple validates S/MIME signed emails in the Mail app of macOS 15 Sequoia, because the signatures made with our S/MIME certificates used to be accepted just fine up to and including macOS 14 Sonoma, but in Sequoia they no longer validate. They still work in iOS 18.2, as well as in Thunderbird. eM Client, on the other hand, complains about "an incomplete certificate revocation check".
I suspect that there is a new requirement that a certificate must have a CRL and/or OCSP entry. Our certificate does not have either of them. Another certificate I've tried has a CRL entry and it validates okay, but it is not the only difference, so I'm looking for the exact specs.
However, I'm unable to find them anywhere. I know that RFC 9325 places a normative requirement on *TLS* implementations to have some means of distrusting certificates, but I can't find anything like this for S/MIME. Sections *4.3. Signature Verification* and *6. Security Cosiderations* of [RFC 8551](https://www.rfc-editor.org/rfc/rfc8551.html) more or less only mention key sizes and algorithms, but no revocation checking.
I also failed to find any documentation by Apple about this change. Is there any?
Asked by not2savvy
(2070 rep)
Jan 14, 2025, 11:14 AM
Last activity: Jan 14, 2025, 02:54 PM
Last activity: Jan 14, 2025, 02:54 PM