Hawk Wings » certificate

Encryption tutorial for Mail.app

Tim Gaden — Thu, 08 Mar 2007 11:18:03 +0000

Melvin Rivera has written a nice tutorial for Mail users explaining how to get a digital certificate from Thawte and how to use Mail.app’s digital signature and encryption features.

He outlines the process for creating an account at Thawte and requesting a certificate and then installing it.

Further sections follow on the difference between a digitally signed and an encrypted message, and how to use them.

It’s interesting to compare Melvin’s take on secure email in Mail.app with Matt Haughey’s experience , which wasn’t so positive.

Melvin thinks it works well and is a good tool to have in your email armoury:

Other than the process of going though an external website for obtaining a certificate, Mailâ€™s integration of signed and encrypted messages is seamless. Itâ€™s a great feature that is just hidden until needed. Making the user experience simple and clean. And thereâ€™s nothing like discovering a great new feature on an App youâ€™ve been using for a long time now.

Joar Winfor has also produced a more detailed walkthrough for secure email in Mail.app, but more detail is not always good for everyone.thawte, certificate, X.509, digital signatures, encryption, secure email, security, mail.app, apple mailSimilar Posts:

Long delays with Mail.app replies

Tim Gaden — Wed, 18 Oct 2006 13:11:30 +0000

A poster on macOSXHints has posted a tip to reduce the long delays in producing a reply window that sometimes occur in Mail.

He suggests that it caused by settings in the Keychain and provides a work-around to fix it.

I had this problem earlier in the year. In my case, it wasn’t caused by Keychain settings, but by my .Mac account.

I won’t repeat it all here, but you can read the whole saga in “Apple Mail phones home too” where you will also find the fix.

In short, Mail was trying to connect through port 80 to verify my iChat certificate. My work firewall blocks port 80. Hence the delay.

Interesting that Mail phones home in an unannounced but benign way, don’t you think? mail.app, apple mail, dotmac, .Mac, iChat, certificate, keychain, bugsSimilar Posts:

Use your iChat certificate to sign Mail.app emails

Tim Gaden — Sun, 27 Nov 2005 13:15:34 +0000

It is possible — after all — to sign .Mac emails with the new iChat digital certificate that came with the 10.4.3 update.

Although I couldn’t get it to work, some people like David Dunham were able to use their new iChat digital certificates to sign .Mac emails. And it looked like Apple had future plans to use the certificate for email signatures.

But you can use it now to sign your .Mac emails.

To enable Mail.app to use your iChat certificate in this way, you need to open the Keychain Access utility. You can find it in the Utilities sub-folder of your Applications folder.

Make sure that your .Mac digital certificate is listed there. Then open up Keychain Access’ Preferences and select the “Search .Mac for certificates” option:

Now launch or (re-launch) Apple Mail. It will be able to digitally sign emails composed in your .Mac account using that certificate.

Works for me!

UPDATE: Criss Hyde emails to say that this certificate support is not there for trial .Mac accounts or email only .Mac accounts. But full .Mac accounts and family .Mac accounts are supported.

[Via Quarter Life Crisis]Similar Posts:

More on the .Mac/iChat certificate

Tim Gaden — Thu, 03 Nov 2005 22:12:33 +0000

Andreas Amann has compared the new .Mac/iChat certificate with a “normal” one, and posted the results in the comments to another post.

He found two interesting things:

The .Mac/iChat key lacks the ?¢‚Ç¨?ìEmail Address?¢‚Ç¨¬ù field in the ?¢‚Ç¨?ìSubject Name?¢‚Ç¨¬ù section of the key and thus cannot be used for email signing in Apple Mail like a certificate from Thawte or some other CA.

Towards the bottom of the certificate, in contrast to other certificates, Apple has a section called ‘Extended Key Usage”. Here Apple has nominated the second purpose of the certificate as “email protection”:

From this Andreas suggests that it “looks like Apple still has some plans in the pipeline for later:-)”

You can read more about the .Mac/iChat certificate on the “Apple Root Certificate Authority” section of the Apple web site.

Despite all this, at least ~~one~~ two readers have found that they can sign their emails with their .Mac/iChat certificate.

Does anyone have any further thoughts about, insights into or experience with this?Similar Posts:

Safari 2.0 and Thawte Certificates

Tim Gaden — Wed, 02 Nov 2005 22:10:28 +0000

As part of my steep learning curve about encrypted mail in Apple Mail I came across a howto on the O’Reilly mac devcenter, that explains the proccess for requesting a certificate from Thawte.

It says that you can’t use Safari to get your certificate. Probably you couldn’t when this howto was written in January 2004.

But you can now. I just did. There’s no option to select Safari from the browser options in Thawte’s request process, but selecting “Netspace Communicator or Messenger” works.

Then click on the URL in the email from Thawte announcing that your certificate has been issued. Safari will happily download it and automatically add it to your Keychain.

So spare yourself the hassle of mucking around with another browser.

You might also like to follow the guide recommended by Andreas Amann in the comments: http://www.joar.com/certificates/.Similar Posts:

.Mac emails get more secure?

Tim Gaden — Wed, 02 Nov 2005 06:37:42 +0000

OK, everyone can have a bad day, right?

Yesterday, I had one, finding a “new” old spotlight feature in the Context menu of Mail and completely misunderstanding what was happening with digital signatures in Apple Mail.

The greyed out boxes appeared — this is what I am thinking in the cool rational air of the new day — because Mail.app knew that I had a certificate for one email account but not for the .Mac one. It has absolutely nothing to do with iChat and its new certificate.

Although the .Mac/iChat certificate is interesting in a number of ways. See the comments and the entry on “More on the .Mac/iChat certificate”.

~~It seems that the new encrypted iChat feature in 10.4.3 adds a digital signature to .Mac emails as an extra bonus.~~

David Dunham emailed with something he noticed:

I just noticed that a digital signing and an encryption gadget show up when I choose a .Mac account in Mail.app. (Encryption isn’t enabled unless I send only to people for whom I have a certificate, which is essentially nobody.)

I tried this out, by replying to him.

Sure enough, the digital signature boxes appeared. His .Mac certificate was visible in my Keychain, but the digital signature options in the Compose window were greyed out and stuck on “unsigned” mode:

What does it all mean?

~~An explanation from Apple of how the iChat certificates work and more general ignorance from me about encryption follows the jump.~~

~~An Apple document, .Mac Certification Practice Statement”, dated (appropriately enough) 31 October 2005, describes how the keys work:~~

4.1. Certificate registration

When the iChat software identifies that a user’s iChat screen name is a .Mac screen name, it contacts the .Mac servers and verifies that the account is one that supports the issuance of iChat Session certificates and that the .Mac subscription payments are current. If both conditions are met, a private/public key pair is generated on the client computer by the iChat application.

The public half of the key pair is then sent to the .Mac servers as part of a Certificate Signing Request (CSR) to be authenticated via a digest authentication scheme. The public key, .Mac account name, and other data necessary to provide a successful digest authentication are required in the CSR. Furthermore, the CSR is signed by the subscriber’s private key. This signature allows the .Mac servers to validate that the private key held by the subscriber corresponds to the public key submitted in the CSR. Once the CSR is received and authenticated, the .Mac server again verifies the account’s ability to request a certificate. The CSR is then passed along to the signing proxy server, so that the certificate may be constructed and signed by the .Mac Sub-CA.

Once the certificate has been constructed and signed, it is made available for retrieval by the iChat client application via OCSP. Data returned back to the client from the OCSP servers is signed by another leaf certificate issued against the .Mac Sub-CA and can therefore be authenticated by the client.

The name associated with a certificate is the .Mac account name. Names must be unique within the .Mac namespace, but do not have to be meaningful and are arbitrarily selected by the user at the time the user creates a .Mac account. Uniqueness of the account name is enforced at account creation through the checking of the requested account name against a list of accounts that have been previously assigned to other users.

Here’s the puzzle for me: if the certificate issued by iChat contains both the private and the public key, why can’t I digitally sign my .Mac emails? Why are the boxes greyed out?

~~What am I missing here?~~ A brain.
Similar Posts: