«
»

.Mac emails get more secure?

dotmac70pxOK, everyone can have a bad day, right?

Yesterday, I had one, finding a “new” old spotlight feature in the Context menu of Mail and completely misunderstanding what was happening with digital signatures in Apple Mail.

The greyed out boxes appeared — this is what I am thinking in the cool rational air of the new day — because Mail.app knew that I had a certificate for one email account but not for the .Mac one. It has absolutely nothing to do with iChat and its new certificate.

Although the .Mac/iChat certificate is interesting in a number of ways. See the comments and the entry on “More on the .Mac/iChat certificate”.

It seems that the new encrypted iChat feature in 10.4.3 adds a digital signature to .Mac emails as an extra bonus.

David Dunham emailed with something he noticed:

I just noticed that a digital signing and an encryption gadget show up when I choose a .Mac account in Mail.app. (Encryption isn’t enabled unless I send only to people for whom I have a certificate, which is essentially nobody.)

I tried this out, by replying to him.

Sure enough, the digital signature boxes appeared. His .Mac certificate was visible in my Keychain, but the digital signature options in the Compose window were greyed out and stuck on “unsigned” mode:

dotmac_dig_sig

What does it all mean?

An explanation from Apple of how the iChat certificates work and more general ignorance from me about encryption follows the jump.


An Apple document, .Mac Certification Practice Statement”, dated (appropriately enough) 31 October 2005, describes how the keys work:

4.1. Certificate registration

When the iChat software identifies that a user’s iChat screen name is a .Mac screen name, it contacts the .Mac servers and verifies that the account is one that supports the issuance of iChat Session certificates and that the .Mac subscription payments are current. If both conditions are met, a private/public key pair is generated on the client computer by the iChat application.

The public half of the key pair is then sent to the .Mac servers as part of a Certificate Signing Request (CSR) to be authenticated via a digest authentication scheme. The public key, .Mac account name, and other data necessary to provide a successful digest authentication are required in the CSR. Furthermore, the CSR is signed by the subscriber’s private key. This signature allows the .Mac servers to validate that the private key held by the subscriber corresponds to the public key submitted in the CSR. Once the CSR is received and authenticated, the .Mac server again verifies the account’s ability to request a certificate. The CSR is then passed along to the signing proxy server, so that the certificate may be constructed and signed by the .Mac Sub-CA.

Once the certificate has been constructed and signed, it is made available for retrieval by the iChat client application via OCSP. Data returned back to the client from the OCSP servers is signed by another leaf certificate issued against the .Mac Sub-CA and can therefore be authenticated by the client.

The name associated with a certificate is the .Mac account name. Names must be unique within the .Mac namespace, but do not have to be meaningful and are arbitrarily selected by the user at the time the user creates a .Mac account. Uniqueness of the account name is enforced at account creation through the checking of the requested account name against a list of accounts that have been previously assigned to other users.

Here’s the puzzle for me: if the certificate issued by iChat contains both the private and the public key, why can’t I digitally sign my .Mac emails? Why are the boxes greyed out?

What am I missing here? A brain.

Similar Posts:

Tags: , , ,

This entry was posted on Wednesday, 2nd November, 2005 at 5:37 pm and is filed under Apple Mail. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “.Mac emails get more secure?”

  1. Andreas Amann says:
    November 3rd, 2005 at 5:23 pm

    You have to examine the certificate with the Keychain Utility and compare the .Mac/iChat certificate with a “normal” email certificate:

    .Mac/iChat:

    * Subject Name:
    [...]
    Organization: Apple Computer, Inc.
    Organizational Unti: mac.com
    Common Name: (your .mac user name, without @mac.com)

    An Email-Signing key for the same .Mac address:
    * Subject Name:
    [...]
    Common Name: (this depends on how your key was set up, Thatwe says “Thawte Freemail Member”, other CAs allow you to have your real name here)
    Email Address: (your .Mac email address, including @mac.com)
    * Public Key Info:
    [...]
    Extension: Key Usage
    Usage: Digital Signature, Key Encipherment

    So, the problem is that the .Mac/iChat key lacks the “Email Address” field in the “Subject Name” section of the key and thus cannot be used for email signing…

    However, the interesting part is further down in the certificate info:

    * Public Key Info:
    [...]
    Extension: Extended Key Usage
    [...]
    Purpose #2: Email Protection
    [...]

    Looks like Apple still has some plans in the pipeline for later:-) (my email signing key for the same account does not have the “Extended Key Usage” field at all, could be another Apple extension).

  2. Criss Hyde says:
    November 4th, 2005 at 2:22 pm

    I have three Macs at home recently updated to 10.4.3. Each has an account for each of my ten family members. Most members have personal .Mac accounts. One and only one of the Macs, apparently for all accounts with .Mac, has begun signing email, offering to encrypt if the recipient’s certificate has been received in a previously signed email, and encrypting if asked. I haven’t discovered why only this one. /criss

  3. David Dunham says:
    November 4th, 2005 at 2:54 pm

    Like Criss, I have one Mac that can sign, and another that can’t. The one that can has a certificate with my .Mac name, without the @mac.com part. Despite this, it does sign e-mail (on that machine). The machine that can sign happens to be the one I enabled

  4. Hawk Wings » Blog Archive » Use your iChat certificate to sign Mail.app emails says:
    November 28th, 2005 at 12:18 am

    [...] Although I couldn’t get it to work, some people like David Dunham were able to use their new iChat digital certificates to sign .Mac emails. And it looked like Apple had possible future plans to use the certificate for email signatures. [...]

  5. Hawk Wings » Blog Archive » Two Top Fives: Hawk Wings 2006 in review says:
    December 31st, 2005 at 2:58 am

    [...] I discovered several new Mail features that have been around since Jaguar and completely misunderstood what the new iChat SSL certificates were about. Also my arguments in favour of top-posting proved more persuasive to me than anyone else. [...]

Leave a Reply