I was tempted to simply add a second addendum to my recent CAC post, but I wanted to expand on relevant comments.
To summarize, a (government) CAC smartcard chip contains PKI infrastructure, including private certificates and associated private keys. If I use third-party software, like ActivClient, I can see 3 certificates (identity, signature, and encryption). The identity certificate is used to authenticate, say, to a government website. The email signature is used to provide non-repudiation of the message source and encryption ensures confidentiality. In practice, the private infrastructure is protected by the CAC PIN. So, for example, in accessing a secure government website, including email, I'll usually get a pop-up to select the (identity) certificate; there's a second step (on my home system) where it's testing the card reader and reading the CAC; on an intermittent basis I'll sometimes get a garbage popup saying something like it can't use the certificates on the CAC. What this really means in practice is I need to reseat the CAC--remove the card from the CAC reader and reinsert it. (IMPORTANT practical note: if I'm using Internet Explorer 32-bits, I need to go to Internet Options, Content Panel and clear the SSL state before I can reread the CAC.) Once I get confirmation that the device is ready and click OK, I should be prompted for my CAC PIN. If successful, I'll usually land at a USG warning banner page (in IE, I'll sometimes have to refresh the webpage). Similar PIN entries occur if I sign and/or encrypt outgoing emails for security.
Now I ran into some weird issues soon after installing/testing S/MIME for use in IE-32 as described in the last message (needed for secure email functionality) I recall being able to pull up a digitally signed and/or encrypted email from another person and sending my own signed/encrypted email. A few days later, I tried pulling up another email from the same person, and the entire message body was blank. What the devil? Was he encrypting from an obsolete public certificate? A separate, weird issue: all of a sudden I couldn't send even regular emails from Outlook Web Access; clicking on the send button didn't do anything.
I really didn't want to contact the government helpdesk on the issues; I did have a contact with the local group servicing the laptop, and he mentioned he had also run into a blank email issue with OWA but not when using the Outlook client on his laptop (not available to me).
I did a Google search on my issues and found this Microsoft webpage where the user's experience exactly matched mine. When I got to Jeremy Nickels' detailed response and saw 231 readers had endorsed it, I was convinced I had stumbled across a solution for apparently a common problem. The key steps are up to step 10 and involve a number of tweaks to IE settings, and yes, they resolved my functionality issues. I didn't check militarycac.com; I think when I tested that first signed/encrypted email after installing S/MIME via a related note, I assumed no other tweaks were necessary.
