[Macpartners] Certificates and Secure Mail (was: Random People Appearing in Keychain Access)

John Canfield canfield at MIT.EDU
Fri Feb 19 21:16:04 EST 2010 

I didn't have to search very long to find the answers to all my questions. So, for anyone who's interested, here's what I found about how to use your certificate to send secure email:

It wasn't obvious and seems a little counterintuitive, but if you want to send digitally signed and encrypted email, you have to tell Keychain Access to trust your own certificate. (double-click or Get-Info on it, expand the "Trust" item, and select "Always Trust".) I would have thought this is something that was set automatically when your certificate is installed, but apparently not.

Restart Mail and when you create a New Message, the buttons for digital signing and encryption will be there. Note that the digital signing option defaults to "On". Unless you manually turn it off each time, every message you compose or even just reply to will include your digital signature. (so maybe that's why you don't initially "Always Trust" yourself)

Anyway, sending and receiving a digitally signed message is only the first step in sending encrypted email. You can send digitally signed messages to anyone, but you can only send encrypted email to someone you have a certificate for. So for any of those certificates that Mail is automatically saving in Keychain Access, you can go in and "Always Trust" it (at least the S/MIME option). You can also do this from within Mail on the received email itself. Now, when you compose or reply to those people, the encrypt button will also be enabled.

I digitally signed this message, just to try it out. So if you're using Apple Mail, it should be showing up for you like Brian described. However, now that I've satisfied my curiosity, I think I'll turn it back off by not "Trusting" myself anymore. I have no need to send encrypted email right now and would rather not waste the overhead. (Nor have anybody wondering how my certificate wound up in their Keychain!)

I can see the advantage now, of saving signed email certificates, but I wish it didn't happen automatically, or at least didn't default to always signing every outgoing email. (I'd bet there's probably an undocumented "defaults write" setting to modify that behavior.)

Elmer - John



On Feb 19, 2010, at 2:56 PM, John Canfield wrote:

> Well, that certainly explains exactly where they're coming from, though their purpose still seems rather dubious. These people likely did send email at some point in time, but nothing that was very important or secure. I doubt all of them even realize their certificates are being saved like this. It must be only recently that this behavior started.
> 
> So, how does the sender turn the feature on and off? I'm guessing these signatures have nothing to do with the "Signatures" in Mail Preferences that insert pre-defined text when composing a message. I'm not seeing anything else in Mail (in either Preferences or any of the menus) that would appear to control it.
> 
> And can the automatic saving of these certificates be turned off on the receiving end? A few are not so bad, but if lots of people start sending them, I envision Keychain Access becoming cluttered with hundreds of certificates from people who'll never need to send me secure email.
> 
> I'm speculating the empty "Microsoft_Intermediate_Access" keychain was created when I installed Office. (It's always typical of MS to litter the system with junk, isn't it?)
> 
> Elmer - John
> 
> P.S.:  This is an amazing support group! In less than ten minutes there were several informative replies to my initial question.
> 
> 
> 
> On Feb 19, 2010, at 1:52 PM, Brian Bulmer wrote:
>> These certificates are encrypted mail certificates form other people, mostly that are using apple mail, and sending signed mail.
>> You will get a certificate from each one as they send you signed mail, and you have the choice to either trust the signature, or not trust. These emails will come in with a yellow bar across the top that says, "Unable to verify message signature".
>> At any rate, when people send a message that is signed by their client, you will get these items stored in your keychain. You can alway delete them, or trust the sending person, and then all messages from that user will be "Trusted", example included.
> 
> On Feb 19, 2010, at 1:47 PM, Jonathan Reed wrote:
>> The mostly likely cause of this is that someone sent you e-mail which they signed with their MIT certificate.  Apple Mail automatically adds such certificates to the Keychain, it's possible that other e-mail clients do that too.
> 
> On Feb 19, 2010, at 1:47 PM, Jessica A Smith wrote:
>> You will see certificates for other individuals in the keychain if you’ve received e-mails on that computer from people who digitally sign their e-mails. It does not grant them any access to your computer, it simply remembers that those digital signatures are valid for future e-mails.
> 
> _______________________________________________
> Macpartners mailing list
> Macpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/macpartners

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1842 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/macpartners/attachments/20100219/067007d3/attachment.bin

More information about the Macpartners mailing list