Women in Technology

Hear us Roar



Article:
  How to Set Up Encrypted Mail on Mac OS X
Subject:   A flaw in the keychain process?
Date:   2004-01-23 12:35:23
From:   mhelbing
Following the instructions in the article for setting up a new keychain for managing S/MIME private keys, everything worked great for sending mail: every time I tried to send an encrypted message I was prompted for my keychain password. However, once Mail.app prompted me for my keychain password to *decrypt* an encrypted message, the message remained unencrypted on subsequent viewings, even after quitting Mail.app and restarting it.
Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • FJ de Kermadec photo A flaw in the keychain process?
    2004-01-23 13:15:54  FJ de Kermadec | O'Reilly Blogger [View]

    Hi !

    In order to decrypt someone's message, you need his public key. This element is automatically stored by Mail in your login keychain.

    The fact that Mail is unable to decrypt the message may indicate that this public key is missing or has become corrupted. You may want to ask the sender to send you a signed message and to read it (even if it is blank).

    That way, Mail will re-import the certificate and should be able to display the encrypted message correctly. For additional security, remove the old public key from the Keychain first.

    F.J.
    • A flaw in the keychain process?
      2004-01-23 15:00:24  mhelbing [View]

      Perhaps I am not making myself clear.

      1) I send myself an encrypted message. I must enter the keychain password to unlock my private key to encrypt the message. Perfect.

      2) I check my mail and view the encrypted message. Before decrypting, I must again enter my keychain password. Perfect.

      3) I select a non-encryped message. I can read it as expected, with no keychain prompt.

      4) I re-select the encrypted message. I am not prompted for my keychain password; the message is still decrypted. Not perfect. For this method to be secure, I would expect to enter my keychain password every time I view a message.

      5) I quit Mail.app. I re-start Mail.app. I select the encrypted message. I am not prompted for my keychain password; the message is still decrypted. Not perfect. I would expect that quitting Mail.app.

      6) I quit Mail.app and lock the keychain. Now when I re-open Mail.app and select the encrypted message I prompted for my password.

      Perhaps Mail.app caches decrypted messages until the keychain is locked.
      • A flaw in the keychain process?
        2004-01-28 23:16:49  maximus [View]

        Did you try to set : "Ask for Keychain password" in addition to "Confirm before allowing access"

        What happens in what you describe is that Mail *knows* it is still you at the computer so it has no reason to ask again to decrypt unless - I suspect - you set the keychain to ask for the password each time. (that should cover your point 4)

        As a measure of security you should lock the keychain again if you leave the computer unattended (if that was ultimately your concern)
        • A flaw in the keychain process?
          2004-02-25 14:28:42  nxnw [View]

          "As a measure of security you should lock the keychain again if you leave the computer unattended (if that was ultimately your concern)"

          That does not work.

          The original poster is correct. Even if you lock your keychain, a message remains unencrypted (even if you close the message, even if you close the message browser) until you quit mail.

          I think this is a design flaw.