OK, everyone can have a bad day, right?
Yesterday, I had one, finding a “new” old spotlight feature in the Context menu of Mail and completely misunderstanding what was happening with digital signatures in Apple Mail.
The greyed out boxes appeared — this is what I am thinking in the cool rational air of the new day — because Mail.app knew that I had a certificate for one email account but not for the .Mac one. It has absolutely nothing to do with iChat and its new certificate.
It seems that the new encrypted
David Dunham emailed with something he noticed:
I just noticed that a digital signing and an encryption gadget show up when I choose a .Mac account in Mail.app. (Encryption isn’t enabled unless I send only to people for whom I have a certificate, which is essentially nobody.)
I tried this out, by replying to him.
Sure enough, the digital signature boxes appeared. His .Mac
What does it all mean?
An explanation from Apple of how the iChat certificates work and more general ignorance from me about encryption follows the jump.
An Apple document, .Mac Certification Practice Statement”, dated (appropriately enough) 31 October 2005, describes how the keys work:
4.1. Certificate registration
When the iChat software identifies that a user’s iChat screen name is a .Mac screen name, it contacts the .Mac servers and verifies that the account is one that supports the issuance of iChat Session certificates and that the .Mac subscription payments are current. If both conditions are met, a private/public key pair is generated on the client computer by the iChat application.
The public half of the key pair is then sent to the .Mac servers as part of a Certificate Signing Request (CSR) to be authenticated via a digest authentication scheme. The public key, .Mac account name, and other data necessary to provide a successful digest authentication are required in the CSR. Furthermore, the CSR is signed by the subscriber’s private key. This signature allows the .Mac servers to validate that the private key held by the subscriber corresponds to the public key submitted in the CSR. Once the CSR is received and authenticated, the .Mac server again verifies the account’s ability to request a certificate. The CSR is then passed along to the signing proxy server, so that the certificate may be constructed and signed by the .Mac Sub-CA.
Once the certificate has been constructed and signed, it is made available for retrieval by the iChat client application via OCSP. Data returned back to the client from the OCSP servers is signed by another leaf certificate issued against the .Mac Sub-CA and can therefore be authenticated by the client.
The name associated with a certificate is the .Mac account name. Names must be unique within the .Mac namespace, but do not have to be meaningful and are arbitrarily selected by the user at the time the user creates a .Mac account. Uniqueness of the account name is enforced at account creation through the checking of the requested account name against a list of accounts that have been previously assigned to other users.
Here’s the puzzle for me: if the certificate issued by iChat contains both the private and the public key, why can’t I digitally sign my .Mac emails? Why are the boxes greyed out?
What am I missing here? A brain.
- Use your iChat certificate to sign Mail.app emails
- Encryption tutorial for Mail.app
- More on the .Mac/iChat certificate
- Self-signed SSL certificates in Apple Mail
- Security vulnerability in GPGMail
Tags: 10.4.3, certificate, iChat, mac