Just following up on the situation Paul Domagala and I worked through attempting to have OS X Snow Leopard Mail to handle ECA security certificates in an end user friendly fashion.
Apple Bug Report 7515516 filed by Paul Derby, DHS IT lead for BioWatch:
Summary: MAIL always uses x.509 certs by first matching email address then using the first non-expired cert stored on the sending machine without checking key usage. If two certs are present, the first with key usage of "Digital Signature" and the second key with key usage of "Key Encipherment" when encryption is selected in MAIL, Mail should use the second cert to perform the encryption. Instead, MAIL is using the first key which does not allow encryption of the email.
Steps to Reproduce: Person A sends Person B a signed message resulting in Person A's signature key being placed in KeyChain as the first cert. Person A sends Person B his encryption certificate containing his public encryption key. Person B double clicks on the attachment, placing the cert on Person B's keychain as the second cert. Person B composes an email to Person A and clicks on the lock in MAIL to encrypt the message. Person B clicks on the SEND button in MAIL. Mail aborts saying the message cannot be sent.
Expected Results: OS X should provide MAIL knowledge of the key usage of each cert. When an email address matches, the key usage should determine which certificate is used for encryption and which certificate is used for a signature, allowing email to be sent using the appropriate certificate based on key usage contained in the certificate.
Actual Results: MAIL is matching with the first installed, non-expired key ignoring the key usage in the certificate and allowing the user to select encryption when the key usage is signature. When the SEND button is clicked, OS X blocks the sending of the email and reporting a problem with the certificate. This is extremely confusing to the end user, since the two ECA compliant certificates are present, one for signing, the other for encryption. Mail should use the correct matching certificate based on key usage, not on installation order.
Regression:
Notes: This has been a long term problem in both Leopard and Snow Leopard. It really needs to be fixed as more and more organizations are using ECA compliant certificates that have separate signature and encryption certificates for each individual.
Apple has responded back that this is a known problem and is a duplicate of Apple Bug ID# 7394554.
I've copied Andy Kemp (Apple Public Sector Sales), Ron Police (Apple's VP of Government Sales) and Shawn Geddis (Apple Federal Security Lead) hoping they can help us escalate this problem to get improvements in Apple Mail's handling of certificates.
We have spent a fair amount of time collaborating with IT staff at Los Alamos National Labs, Lawrence Livermore National Labs, the University of Minnesota Center for Infectious Disease Research and Policy, and Argonne National Labs figuring out ways to work around this Apple Mail situation. As DHS ramps up their PIV rollout and we move past the "early adopters" to large numbers of users needing to encrypt and sign email, this bug really needs to be addressed.
Anything anyone can do to escalate getting a fix to this problem would be appreciated by those of us at the institutions named above trying to support end users that have Apple's operating system in their work environment.
Regards,
Paul
--
Paul Derby
Chief Enterprise Architect
supporting BioWatch Systems Program Office as IT Lead
Department of Homeland Security
703-647-2745