[nycbug-talk] Root certificates on OS X...

Bob Ippolito bob
Sun Jul 25 05:23:54 EDT 2004


On Jul 25, 2004, at 4:25 AM, Queco Jones wrote:

> A friend recently told me about http://cacert.org and said I should
> download/install the root certificate.  I went to the site and it says
> that it works with IE.  So I started p IE and tried it, but I got a
> pop up asking me for a passprase or something and clicked the cancel
> button.  I talked to my friend and later, when I tried it again, I got
> a pop saying that the certificate wasn't valid.  Now I'm wondering if
> I did something to mess it all up...

Don't use IE on the Mac.  Ever.  It's not relevant anyways.

> The reason I was interested in it is because when I get an email from
> my friend, Mail.app displays a message saying that it's "unable to
> verify message signature."
>
> I have GPG and the GPGMail plug-in installed, but my friend says that
> it won't work until I get the root certificate installed.  My question
> is, can anybody point me to documentation that explains just how to go
> about doing this?

S/MIME, the specification used by CACert, Thawte, etc. and supported in 
stock configurations of popular email clients by such as Mail.app, is 
definitely *NOT* GPG.  Completely different stuff.  GPG is for rings of 
trust, S/MIME is more centralized.  Personally I don't think that GPG 
really has a chance because S/MIME is already so widely adopted, and 
PGP/GPG is well, not.  Probably because PGP is proprietary software and 
GPG is GPL, where S/MIME takes advantage of the machinery that's 
already in OpenSSL and other frameworks that people were already using 
for other things (like encrypted IMAP, POP3, SMTP, HTTP) so licensing 
isn't really an issue.

> I also wonder if it can't be done with Safari instead of IE...

It actually has nothing to do with the browser, *especially* if you are 
using it for Mail! :)

OS X has a global registry for certificates in a keychain called 
X509Anchors.  Download the "certificate for most browsers" and double 
click it.  Safari will download it as a .crt file, double-click the 
file from Finder and Keychain will ask you where to import it to.  You 
want to import it to the X509Anchors keychain.  Though the registry is 
global and is available by public API, it's mostly just Apple apps that 
take advantage of it (Safari and Mail being the big ones).  Stuff from 
the Mozilla project don't currently leverage Apple's APIs to my 
knowledge, for example.

Note that I may have done something a long time ago that makes 
X509Anchors show up in the list, and I'm running a beta version of OS X 
on this laptop, so the instructions may very well differ slightly.  I 
also have no recollection of how OS X 10.2 handled such things, if you 
happen to be that unfortunate.  If my instructions aren't good enough 
for whatever reason, google is your friend.  X509Anchors, "OS X ", 
Keychain, etc. are all pretty good keywords.

-bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3589 bytes
Desc: not available
Url : http://lists.nycbug.org/pipermail/talk/attachments/20040725/3a531f8d/attachment.bin 



More information about the talk mailing list