Women in Technology

Hear us Roar


Article:
  How to Set Up Encrypted Mail on Mac OS X
Subject:   A flaw in the keychain process?
Date:   2004-01-23 15:00:24
From:   mhelbing
Response to: A flaw in the keychain process?

Perhaps I am not making myself clear.


1) I send myself an encrypted message. I must enter the keychain password to unlock my private key to encrypt the message. Perfect.


2) I check my mail and view the encrypted message. Before decrypting, I must again enter my keychain password. Perfect.


3) I select a non-encryped message. I can read it as expected, with no keychain prompt.


4) I re-select the encrypted message. I am not prompted for my keychain password; the message is still decrypted. Not perfect. For this method to be secure, I would expect to enter my keychain password every time I view a message.


5) I quit Mail.app. I re-start Mail.app. I select the encrypted message. I am not prompted for my keychain password; the message is still decrypted. Not perfect. I would expect that quitting Mail.app.


6) I quit Mail.app and lock the keychain. Now when I re-open Mail.app and select the encrypted message I prompted for my password.


Perhaps Mail.app caches decrypted messages until the keychain is locked.
Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • A flaw in the keychain process?
    2004-01-28 23:16:49  maximus [View]

    Did you try to set : "Ask for Keychain password" in addition to "Confirm before allowing access"

    What happens in what you describe is that Mail *knows* it is still you at the computer so it has no reason to ask again to decrypt unless - I suspect - you set the keychain to ask for the password each time. (that should cover your point 4)

    As a measure of security you should lock the keychain again if you leave the computer unattended (if that was ultimately your concern)
    • A flaw in the keychain process?
      2004-02-25 14:28:42  nxnw [View]

      "As a measure of security you should lock the keychain again if you leave the computer unattended (if that was ultimately your concern)"

      That does not work.

      The original poster is correct. Even if you lock your keychain, a message remains unencrypted (even if you close the message, even if you close the message browser) until you quit mail.

      I think this is a design flaw.

Recommended for You
 
Sign up today to receive special discounts,
product alerts, and news from O'Reilly.
Privacy Policy >
View Sample Newsletter >