Open Radar

 
Summary:
An S/MIME certificate and key pair with Subject Alternative Names will only allow an iOS user to sign (or sign and encrypt) an email when the From address on their account matches the first SubjectAltName in the certificate.

On OS X, Mail.app respects the list of email addresses identified as Subject Alternative Names and permits signatures and encryption of messages with any From address selected that matches any of the listed SubjectAltName values.

e.g. The screenshot included shows a list of RFC822 names in my email certificate. I use that certificate to sign (and encrypt) email with OS X without incident from any of the addresses listed in the certificate. My iOS devices however only permit signing and encrypting when the From: address of the email matches the first RFC 822 name in extension (in my case, *r@*org)

I don't know if this is a bug or a request for enhancement. It feels like a bug to me because I can imagine this being overlooked rather than by design.

Steps to Reproduce:
Provision an email certificate with multiple email addresses associated with it as Subject Alternative Names. 

Attempt to sign an email with that certificate using an email address other than the first listed.



Expected Results:
iOS Mail.app should allow sending signed emails from any address listed in the certificate.

Actual Results:
iOS Mail.app only uses first email address found in certificate for signing.

Version:
iOS 9.3.1 13E238

Notes:
You can pull my public key from http://pki.kvet.ch/ca/certificates if you need to compare.