Re: [Fed-Talk] Apple mail and signed mail. how to tell?
Re: [Fed-Talk] Apple mail and signed mail. how to tell?
- Subject: Re: [Fed-Talk] Apple mail and signed mail. how to tell?
- From: "Neely, Lee" <email@hidden>
- Date: Thu, 16 Jul 2015 23:08:25 +0000
- Thread-topic: [Fed-Talk] Apple mail and signed mail. how to tell?
Certificates have a Key Usage field. Your CA automatically puts the correct attributes in that field.
Your decryption certificate is marked “Key Encipherment”
Your validation certificate is marked “Digital Signature”
IF you have to you configure your email client manually, say on an iPhone, you select the corresponding certificate for Encryption and Signing.
Lee
From: fed-talk-bounces+neely1=email@hidden [mailto:fed-talk-bounces+neely1=email@hidden]
On Behalf Of Marcus, Allan B
Sent: Thursday, July 16, 2015 3:58 PM
To: Blumenthal, Uri - 0553 - MITLL
Cc: Fed Talk
Subject: Re: [Fed-Talk] Apple mail and signed mail. how to tell?
We use two cert per person. one for signing and one for encryption. No problem (with this at least) with AppleMail; it’s all automatic. I believe the certs have to created correctly, one for signing and one for encryption.
On Jul 13, 2015, at 12:44 PM, Blumenthal, Uri - 0553 - MITLL <email@hidden> wrote:
Compounded by the fact that Apple Mail doesn’t allow one to conveniently select a certificate to use with a given account, it looks like there is no alternative to Outlook.
:-(
I have covered how to do this quite a number of times on this list… You simply set an “Identity Preference” for the email address of choice and
then map that to desired certificate of choice. Was all part of the multiple “Name Suppression” discussions.
Shawn, I appreciate your help and many contributions. But the keyword here is conveniently. With most other tools, I can
explicitly select what certificates to use. With great tools I could do that on per-message basis. Here, while I agree that "Identity Preference” mechanism can provide a similar functionality [to selecting certs on a permanent basis], it is still quite cumbersome
(in my opinion). Not to mention that we routinely use different certs for signing and encrypting – and I don’t know how to do that with “Identity Preference” (how to tell it to use cert A as my signing cert, and cert B to pass along as my encrypting cert).
By default, Mail will always use the first valid certificate that the Keychain Services finds and provides from your keychain list associated
with the email address you are sending from - no matter how many certificates you have in your keychain(s).
If you were to read a message that you signed using the StartSSL certificate, the certificate will be gleaned from the message and added back to your
default keychain which is probably still your first keychain - hence the first certificate it finds.
But as I said above – it’s not “a cert", it’s “two certs”. How do I deal with it?
You can always provide OS with a “hint” as to which certificate to use for services like SMIME referred to as an “Identity Preference”. Perform
the following steps and you’ll be good to go:
-
Launch Keychain Access
-
Click on “My Certificates” in the Category area (lower left)
-
Enter your email address in the search field (upper right)
-
Locate and select (click once) on the Certificate you wish to use
-
Select: Keychain Access —> File—> "New Identity Preference…”
-
Enter your email address in text field.
-
The “Certificate” popup should already be populated with your selected Certificate.
-
Click the “Add” button
If you’d like, you can go to your default keychain and look for and see the “Kind” listed as "identity preference”.
You can also perform this using Command Line in Terminal with ‘security:
security set-identity-preference -h
Usage: set-identity-preference [-n] [-c identity] [-s service] [-u keyUsage] [-Z hash] [keychain...]
-n Specify no identity (clears existing preference for service)
-c Specify identity by common name of the certificate
-s Specify service (may be a URL, RFC822 email address, DNS host, or
other name) for which this identity is to be preferred
-u Specify key usage (optional) - see man page for values
-Z Specify identity by SHA-1 hash of certificate (optional)
Set the preferred identity to use for a service.
You can also look at the man page for ’security’.
Mail will now use this certificate for signing your messages (for as long as it is still valid) no matter how many other certificates are present
in your keychain(s).
<Screen Shot 2014-09-04 at 1.16.36 AM.png><Screen Shot 2014-09-04 at 1.16.41 AM.png>
- Shawn
_____________________________
Shawn Geddis
Security and Certifications Engineer
Platform Security / CoreOS
<Screen Shot 2014-09-04 at 1.16.36 AM.png><Screen Shot 2014-09-04 at 1.16.41 AM.png> _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden