Encryption galore in Mac OS X 10.3

Mac OS X has improved support for encryption on many levels. There is the FileVault feature storing your home directory in a dynamically growing disk image that is encrypted using the AES-256 encryption standard which can currently be considered to be quite safe. Although the feature basically works I would recommend waiting for other bravehearts to gain some experience with it as it is potentially endangering your files. I have seem at least one encrytped home directory being destroyed completely after a forced reboot on an early Panther beta version. It might be that Apple has cleared out all nasty bugs now, but you never know.

Improved handling of SSL is also part of Mac OS X as you can now have a user interface in the Keychain application to store X.509 certificates (CERTs) in your and the system certificate keychain (X509Anchors, residing in /System/Library/Keychains). For instance, if you visit the encrypted version of the CCC Home Page you will get a warning in Safari that the certificate is unknown and you might be in trouble. The only reason for this is, that the System (obviously) does not know anything about the CCC‘s own Certificate Authority (CA) handing out signed certificates for SSL encryption of web sites and mail servers. But as the public key of the CA‘s certificate is online, you can add that knowledge to your system easily.

  1. Get the CCC CA‘s certificate from http://www.ccc.de/ca/cacert.pem. This is stored in the so-called PEM format, which is the BASE64-encoded (“ascii savvy”) version of the ASN1 DER binary format (see here for an explanation).
  2. Once downloaded, double-click or drag the file to the Keychain application. A window will pop-up allowing you to review the certificate‘s contents and to store the CERT in the Keychain of your choice. In order to make Safari accept the CA, you have to select the X509Anchor keychain, that resides in your System directory. Storing the CERT in your private keychain is possible but useless.
  3. Relaunch Safari and connect to the CCC Home Page via HTTPS again. There shouldn‘t be any more warning messages now.

I have described the process for doing the same thing with Mac OS X 10.2 before. This is now obsolete as the Keychain makes it a lot easier right now.

Even more intriguing, Apple has added the X509 certificate-based support for encryption into the Mail application as well. However, I still wasn‘t able to bring it to work as many Trust Centers spitting out certificate are giving out certificates in DER format only, which Keychain doesn‘t support yet (for no obvious reason, if you ask me, but better ask Apple). It is a bit disappointing they chose the X.509 way only leaving the Web Of Trust-based popular PGP/GPG encryption behind. Maybe they just wouldn‘t want to compete with PGP products and chose to focus on the X.509 standards.

Any hints for making X.509 encryption work in Mail.app would be appreciated. I tried it with various free example certificates from TC TrustCenter and Thawte but I did not succeed persuading Mail to offer me encryption buttons (as promised in the help system) or even to verify the signatures sent to me by the Trust Centers!

The trust centers themselves seem to be quite clueless as well as they still seem to live in a browser- and Windows-centric world, offering “certificates for Netscape Navigator” and not realizing that CERT support has to be in the core of the operation system (and in case of Mac OS X, it already is). However, Joar has found a way by importing the CERT into Mozilla first and then converting it via Mozilla‘s backup function for inclusing in Keychain.

But beware: the X.509 approach to encryption is a bit problematic in my point of view. First, you have to give away your public key to public servers which is just an option in case of PGP/GPG. Second, you have to trust a trust center and other people have to trust the trust center that it trusts you to be yourself. There is no way of including your own first-hand-knowledge of identity of persons into this process. Actually, I wouldn‘t trust most of these trust centers, especially not VeriSign and all the sub-companies they already bought as they are far too close to the usual suspects in my point of view.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.