Mac OS X,  Mac OS X Server,  Mac Security

S/MIME in OS X Isn't Just For Tin Hat Wearing Nerds Anymore

S/MIME, or Secure/Multipurpose Internet Mail Extensions is the de facto standard for encrypting and signing mail. You can encrypt mail to keep prying eyes off of it. Signing though, is much more common as it addresses the issue of non-repudiation in many organizations, or giving people a way to make sure that the email that they think you sent really came from you. It was also available in GPG plug-ins for mail, back in the day.

But S/MIME used to really be for people who thought the government was out to get them, work for government agencies, just liked to be kinda’ nerdy or actually had something to hide. But is email security overkill? After a bunch of people get their Google Apps accounts exposed from phishing attacks I’d argue not. I use it for various situations but not all. That may just change in Lion, because while S/MIME has been built into OS X for some time in the form of the smime command it will be much easier to use in OS X as of Lion and now available in iOS 5.

First, get a certificate from one of these providers (my favorite is Verisign, but Comodo is free):

  • Comodo: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html
  • CAcert: https://www.cacert.org/index.php?id=1
  • Secorio: http://www.secorio.com/index.php?S_MIME_Email_Certificates
  • Symantec: http://www.trustcenter.de/en/index.htm
  • StartCom: https://cert.startcom.org
  • Verisign: https://www.verisign.com/authentication/digital-id/index.html
  • GlobalSign: http://www.globalsign.com/authentication-secure-email

Once you have downloaded the certificate files from the sites you can easily install them by double-clicking them, which imports them into the login keychain. Many organizations are going to want to script this process. To import the certificates, use the security command. Here we’ll import a Comodo p7 cert:

security import -/Downloads/CollectCCC.p7s -f pkcs7

Once imported, the certs can be escrowed by control-clicking on the cert in Keychain Access and exporting as .pem files. For organizations that want users to import their certs off of a site, the certs can be curl’d down for user-specific entries and intermediaries and certificates imported:

curl -o /tmp/mycert.crt http://username:password@www.krypted.com/username/username.crt

Which brings up a final point. If you give certificates to users, rather than having them download and load up their own, you will have control over whether or not keys get escrowed and if so, how. When just using signing, you may not care. But when messages are being encrypted, many organizations will have regulatory or eDiscovery situations that require the escrowing of keys to be able to unlock the contents of messages that are encrypted. For this reason, the some will need to export the certificate that was imported. Of course, if you escrow private keys for certificates then can the receiver ever know for certain you sent the message? I guess that comes down to process. If you require two people to turn a key at the same time when the sun shines through this one special crystal and makes the tomb glow red, then you may be able to keep people out. But then there are conspiracies and we’re back to preparing our tin foil as head gear…

Anyway, mail has supported smime for some time, as can be seen in this O’Reilly article from 8 years ago. There’s also an smime command line tool that goes pretty far back. Importing certificates into iOS is about as easy as importing them into OS X, but you can also distribute certificates using mobileconfig files, which I wrote an article on awhile ago. One can assume that the Profile Manager feature announced in OS X Server will allow you to deploy these over MDM, but then we might just have to wait until fall to see what that’s all about…