S/MIME Makes It Into Apple Mail

By far the coolest, most righteous, and totally awesome feature in Mac OS X 10.3 is the introduction of S/MIME functionality in Apple Mail. OK, maybe that’s just cool to me and a few other security geeks, but nevertheless this is a long overdue feature and an important advance towards more secure communications on the Mac platform. With this functionality, users can finally authenticate and encrypt using standard X.509-based certificates.

So for a brief lo-down on why I even give such a big whoop about the issue: I have worked as webmaster for several companies that specialize in this technology, notably Xcert, then briefly at RSA Security which bought out Xcert, then Certicom, and am just now doing some after-hours consulting for Kyberpass in what little spare time I have. Basically, I love this stuff…

And now for a brief overview of why you as an email user should care: Email is basically a very non-secure way of communicating. Your email is sent in plaintext from your computer through the internet which passes through several servers along the way to it’s intended destination, where it might easily be intercepted and read. If you are casually sending information such as personal financial info to your accountant, user IDs and passwords to partners, or just sending naughty messages to your spouse as I do, then you are risking having that information being read by a 3rd party. It is also possible that someone might impersonate another in order to deceive the recipient. The best technology for preventing these security compromises is by using “public key” authentication and encryption.

There are two common ways to achieve public key authentication and encryption. Most common is the use of the most excellent PGP, where trust can be achieved using a peer to peer model. S/MIME is the other option, and this protocol uses the X.509 standard which is the same standard used to secure web servers that use SSL. With S/MIME, trust of someone’s identity is passed from an already-trusted certificate authority (CA) such as Verisign or Thawte. If someone’s identity is valid against one of these CAs, you will get a positive confirmation of identity from your email program and will be able to decrypt any messages from them. If someone’s identity has expired or is invalid, your email program will kick back a warning and probably refuse to decrypt the message.

Common email clients include Netscape 4.x and Mozilla 1.x on all platforms, Outlook and Outlook Express for Windows, Lotus Notes R5, and now Apple’s Mail on the Panther platform. With your identity certificate installed, you would be able to send authenticated and encrypted messages to users on any of these email clients.

To set this up is still a bit tricky though. There’s little documentation in Apple’s Help docs, but there is a decent starter article on Apple’s support website, but that still doesn’t explain all the steps because the online certificate aquisition process is not fully supported in Safari yet. In my next post, I’ll explain how to get a free certificate from Thawte using Mozilla and how you can use it in Apple Mail on Panther.