Secure use of private keys in OS X Mail and Outlook

I finally got around to installing a digital certificate on OS X, so I can sign email messages in Panther's Mail app as I always do in Outlook on Windows. The recipe for acquiring and installing the cert is, unfortunately, guaranteed to scare away Aunt Tillie. But if you've gotten that far, you might want to consider an extra step to secure the use of your private key.

In Outlook, I've set things up so that messages are always signed. What's more, I have to type a password to unlock my private key each time I use it to sign a message. If the signature is going to be meaningful, I want to be sure -- and I want you to be sure -- that some piece of rogue software hasn't coerced Outlook into using cached credentials. I also find the extra confirmation step helpful, in the same way that a real signature can be. Even though it becomes an automatic reflex, it's not a completely unconscious act. And I don't send so many emails in a day that I can't afford a few seconds to consider the consequences of my words.

Achieving this effect in Outlook is wildly obscure. Once the cert is installed, I haven't found a way to up the security to require a per-use password. It's only when requesting the cert that you're given that option. Here's a movie that shows how it works when requesting an Outlook S/MIME cert from Thawte.

The analogous procedure in OS X is nicer. Here's a movie showing how to twiddle the settings on your private key, in Keychain Access, in order to require the keychain password (not, as in Outlook, a per-key password) when signing. And this movie shows the result: you have to type the keychain password in order to send a signed message.

I used the trial version of Qarbon to make these movies. Based on the comments I see here, it seems that Macromedia's RoboDemo should be the next screen video tool I try.

Former URL: