Comments on: .Mac emails get more secure? http://www.hawkwings.net/2005/11/02/mac-emails-get-more-secure/ Tips and add-ons to make Apple Mail / Mail.app even better Fri, 05 Dec 2008 09:50:46 +0000 http://wordpress.org/?v=2.5.1 By: Hawk Wings » Blog Archive » Two Top Fives: Hawk Wings 2006 in review http://www.hawkwings.net/2005/11/02/mac-emails-get-more-secure/#comment-764 Hawk Wings » Blog Archive » Two Top Fives: Hawk Wings 2006 in review Fri, 30 Dec 2005 15:58:53 +0000 http://www.hawkwings.net/?p=303#comment-764 [...] I discovered several new Mail features that have been around since Jaguar and completely misunderstood what the new iChat SSL certificates were about. Also my arguments in favour of top-posting proved more persuasive to me than anyone else. [...] [...] I discovered several new Mail features that have been around since Jaguar and completely misunderstood what the new iChat SSL certificates were about. Also my arguments in favour of top-posting proved more persuasive to me than anyone else. [...]

]]> By: Hawk Wings » Blog Archive » Use your iChat certificate to sign Mail.app emails http://www.hawkwings.net/2005/11/02/mac-emails-get-more-secure/#comment-502 Hawk Wings » Blog Archive » Use your iChat certificate to sign Mail.app emails Sun, 27 Nov 2005 13:18:07 +0000 http://www.hawkwings.net/?p=303#comment-502 [...] Although I couldn’t get it to work, some people like David Dunham were able to use their new iChat digital certificates to sign .Mac emails. And it looked like Apple had possible future plans to use the certificate for email signatures. [...] [...] Although I couldn’t get it to work, some people like David Dunham were able to use their new iChat digital certificates to sign .Mac emails. And it looked like Apple had possible future plans to use the certificate for email signatures. [...]

]]> By: David Dunham http://www.hawkwings.net/2005/11/02/mac-emails-get-more-secure/#comment-372 David Dunham Fri, 04 Nov 2005 03:54:29 +0000 http://www.hawkwings.net/?p=303#comment-372 Like Criss, I have one Mac that can sign, and another that can't. The one that can has a certificate with my .Mac name, without the @mac.com part. Despite this, it does sign e-mail (on that machine). The machine that can sign happens to be the one I enabled Like Criss, I have one Mac that can sign, and another that can’t. The one that can has a certificate with my .Mac name, without the @mac.com part. Despite this, it does sign e-mail (on that machine). The machine that can sign happens to be the one I enabled

]]> By: Criss Hyde http://www.hawkwings.net/2005/11/02/mac-emails-get-more-secure/#comment-371 Criss Hyde Fri, 04 Nov 2005 03:22:32 +0000 http://www.hawkwings.net/?p=303#comment-371 I have three Macs at home recently updated to 10.4.3. Each has an account for each of my ten family members. Most members have personal .Mac accounts. One and only one of the Macs, apparently for all accounts with .Mac, has begun signing email, offering to encrypt if the recipient's certificate has been received in a previously signed email, and encrypting if asked. I haven't discovered why only this one. /criss I have three Macs at home recently updated to 10.4.3. Each has an account for each of my ten family members. Most members have personal .Mac accounts. One and only one of the Macs, apparently for all accounts with .Mac, has begun signing email, offering to encrypt if the recipient’s certificate has been received in a previously signed email, and encrypting if asked. I haven’t discovered why only this one. /criss

]]> By: Andreas Amann http://www.hawkwings.net/2005/11/02/mac-emails-get-more-secure/#comment-363 Andreas Amann Thu, 03 Nov 2005 06:23:28 +0000 http://www.hawkwings.net/?p=303#comment-363 You have to examine the certificate with the Keychain Utility and compare the .Mac/iChat certificate with a "normal" email certificate: .Mac/iChat: * Subject Name: [...] Organization: Apple Computer, Inc. Organizational Unti: mac.com Common Name: (your .mac user name, without @mac.com) An Email-Signing key for the same .Mac address: * Subject Name: [...] Common Name: (this depends on how your key was set up, Thatwe says "Thawte Freemail Member", other CAs allow you to have your real name here) Email Address: (your .Mac email address, including @mac.com) * Public Key Info: [...] Extension: Key Usage Usage: Digital Signature, Key Encipherment So, the problem is that the .Mac/iChat key lacks the "Email Address" field in the "Subject Name" section of the key and thus cannot be used for email signing... However, the interesting part is further down in the certificate info: * Public Key Info: [...] Extension: Extended Key Usage [...] Purpose #2: Email Protection [...] Looks like Apple still has some plans in the pipeline for later:-) (my email signing key for the same account does not have the "Extended Key Usage" field at all, could be another Apple extension). You have to examine the certificate with the Keychain Utility and compare the .Mac/iChat certificate with a “normal” email certificate:

.Mac/iChat:

* Subject Name:
[...]
Organization: Apple Computer, Inc.
Organizational Unti: mac.com
Common Name: (your .mac user name, without @mac.com)

An Email-Signing key for the same .Mac address:
* Subject Name:
[...]
Common Name: (this depends on how your key was set up, Thatwe says “Thawte Freemail Member”, other CAs allow you to have your real name here)
Email Address: (your .Mac email address, including @mac.com)
* Public Key Info:
[...]
Extension: Key Usage
Usage: Digital Signature, Key Encipherment

So, the problem is that the .Mac/iChat key lacks the “Email Address” field in the “Subject Name” section of the key and thus cannot be used for email signing…

However, the interesting part is further down in the certificate info:

* Public Key Info:
[...]
Extension: Extended Key Usage
[...]
Purpose #2: Email Protection
[...]

Looks like Apple still has some plans in the pipeline for later:-) (my email signing key for the same account does not have the “Extended Key Usage” field at all, could be another Apple extension).

]]>