Re: [Fed-Talk] Leopard Mail, Address Book, Key Chain Access interactions for X.509 certificates
Re: [Fed-Talk] Leopard Mail, Address Book, Key Chain Access interactions for X.509 certificates
- Subject: Re: [Fed-Talk] Leopard Mail, Address Book, Key Chain Access interactions for X.509 certificates
- From: Lawrence D Hare <email@hidden>
- Date: Thu, 15 May 2008 15:54:29 -0400
I notice that AddressBook has a service running:
1794 ?? 0:00.20 /System/Library/Frameworks/AddressBook.framework/Versions/A/Resources/AddressBookManager.app/Contents/MacOS/AddressBookManager -psn_0_1052929
Which perhaps will parse the certificates once every now and then and correct any errors or changes. This would explain why old certificates in AddressBook only get corrected apparently on some whim or other, and why restarts and all do nothing.
Anyone know where one might get information on AddressBookManager? Couldn't find any in the package or path.
Lawrence _______________________________________ Lawrence Hare Systems Engineer Tauri Group Biowatch Program (o) 703 647 8256 (c) 301 351 5439
On May 15, 2008, at 2:57 PM, Paul Derby wrote: Begin forwarded message: Date: May 15, 2008 2:39:38 PM EDT Subject: Re: [Fed-Talk] Leopard Mail, Address Book, Key Chain Access interactions for X.509 certificates X-Mailer: Apple Mail (2.919.2)
On May 15, 2008, at 12:58 PM, Paul Derby wrote:
So if the original cert is not needed, why doesn't KeyChain point to the latest cert by creation date instead of the old cert?
Because you might need it for another purpose. For example, the keyUsage constraint might be different--the new one may disallow encryption and be only a signing key, whereas the old one allowed encryption and signing. If Mail deleted the old cert you wouldn't be able to send encrypted mail to the sender any more.
Or you might need it to validate an signed object that *did* exercise the option to reference rather than include the cert. Keychain services more than mail, after all.
Don't think things like that don't happen, either. :)
The human engineering for certificate management amongst the Apple applications, Keychain access, mail and address book need improvement. My opinion: the current implementation causes a lot of end user frustration.
You think this is bad, you should see Windows.
Seriously, though, UI for PKI stinks on ice just about anywhere. Apple's not alone here. This is a persistent topic of conversation among people doing human-computer interface work, particularly where HCI intersects with security.
-- Tim
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden