Melvin Rivera has written a nice tutorial for Mail users explaining how to get a digital certificate from Thawte and how to use Mail.app’s digital signature and encryption features.

He outlines the process for creating an account at Thawte and requesting a certificate and then installing it.

Further sections follow on the difference between a digitally signed and an encrypted message, and how to use them.

It’s interesting to compare Melvin’s take on secure email in Mail.app with Matt Haughey’s experience , which wasn’t so positive.

Melvin thinks it works well and is a good tool to have in your email armoury:

Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.

Joar Winfor has also produced a more detailed walkthrough for secure email in Mail.app, but more detail is not always good for everyone.thawte, certificate, X.509, digital signatures, encryption, secure email, security, mail.app, apple mail

A poster on macOSXHints has posted a tip to reduce the long delays in producing a reply window that sometimes occur in Mail.

He suggests that it caused by settings in the Keychain and provides a work-around to fix it.

I had this problem earlier in the year. In my case, it wasn’t caused by Keychain settings, but by my .Mac account.

I won’t repeat it all here, but you can read the whole saga in “Apple Mail phones home too” where you will also find the fix.

In short, Mail was trying to connect through port 80 to verify my iChat certificate. My work firewall blocks port 80. Hence the delay.

Interesting that Mail phones home in an unannounced but benign way, don’t you think? mail.app, apple mail, dotmac, .Mac, iChat, certificate, keychain, bugs

It is possible — after all — to sign .Mac emails with the new iChat digital certificate that came with the 10.4.3 update.

Although I couldn’t get it to work, some people like David Dunham were able to use their new iChat digital certificates to sign .Mac emails. And it looked like Apple had future plans to use the certificate for email signatures.

But you can use it now to sign your .Mac emails.

To enable Mail.app to use your iChat certificate in this way, you need to open the Keychain Access utility. You can find it in the Utilities sub-folder of your Applications folder.

Make sure that your .Mac digital certificate is listed there. Then open up Keychain Access’ Preferences and select the “Search .Mac for certificates” option:

Now launch or (re-launch) Apple Mail. It will be able to digitally sign emails composed in your .Mac account using that certificate.

Works for me!

UPDATE: Criss Hyde emails to say that this certificate support is not there for trial .Mac accounts or email only .Mac accounts. But full .Mac accounts and family .Mac accounts are supported.

[Via Quarter Life Crisis]

Andreas Amann has compared the new .Mac/iChat certificate with a “normal” one, and posted the results in the comments to another post.

He found two interesting things:

1. The .Mac/iChat key lacks the ?¢‚Ǩ?ìEmail Address?¢‚Ǩ¬ù field in the ?¢‚Ǩ?ìSubject Name?¢‚Ǩ¬ù section of the key and thus cannot be used for email signing in Apple Mail like a certificate from Thawte or some other CA.
2. Towards the bottom of the certificate, in contrast to other certificates, Apple has a section called ‘Extended Key Usage”. Here Apple has nominated the second purpose of the certificate as “email protection”:
   

   From this Andreas suggests that it “looks like Apple still has some plans in the pipeline for later:-)”

You can read more about the .Mac/iChat certificate on the “Apple Root Certificate Authority” section of the Apple web site.

Despite all this, at least one two readers have found that they can sign their emails with their .Mac/iChat certificate.

Does anyone have any further thoughts about, insights into or experience with this?

As part of my steep learning curve about encrypted mail in Apple Mail I came across a howto on the O’Reilly mac devcenter, that explains the proccess for requesting a certificate from Thawte.

It says that you can’t use Safari to get your certificate. Probably you couldn’t when this howto was written in January 2004.

But you can now. I just did. There’s no option to select Safari from the browser options in Thawte’s request process, but selecting “Netspace Communicator or Messenger” works.

Then click on the URL in the email from Thawte announcing that your certificate has been issued. Safari will happily download it and automatically add it to your Keychain.

So spare yourself the hassle of mucking around with another browser.

You might also like to follow the guide recommended by Andreas Amann in the comments: http://www.joar.com/certificates/.

OK, everyone can have a bad day, right?

Yesterday, I had one, finding a “new” old spotlight feature in the Context menu of Mail and completely misunderstanding what was happening with digital signatures in Apple Mail.

The greyed out boxes appeared — this is what I am thinking in the cool rational air of the new day — because Mail.app knew that I had a certificate for one email account but not for the .Mac one. It has absolutely nothing to do with iChat and its new certificate.

Although the .Mac/iChat certificate is interesting in a number of ways. See the comments and the entry on “More on the .Mac/iChat certificate”.

It seems that the new encrypted iChat feature in 10.4.3 adds a digital signature to .Mac emails as an extra bonus.

David Dunham emailed with something he noticed:

I just noticed that a digital signing and an encryption gadget show up when I choose a .Mac account in Mail.app. (Encryption isn’t enabled unless I send only to people for whom I have a certificate, which is essentially nobody.)

I tried this out, by replying to him.

Sure enough, the digital signature boxes appeared. His .Mac certificate was visible in my Keychain, but the digital signature options in the Compose window were greyed out and stuck on “unsigned” mode:

What does it all mean?

An explanation from Apple of how the iChat certificates work and more general ignorance from me about encryption follows the jump.

(more…)