More on OS X certs

I mentioned the other day that OS X Mail and Outlook handled a DoD email certificate differently: OS X Mail trusted the cert, and Outlook didn't. The obvious explanation -- that OS X has the DoD root certificates pre-installed, whereas Windows doesn't -- somehow never occurred to me. But according to Daniel Dulay, that is indeed the case:

I have worked in the computer security field in the past, and I have experience with deploying PKI in enterprises. I also have had a little exposure to the DoD smart card, the Common Access Card or CAC card. I'd like to comment on your story about receiving an email signed by DoD user and your description of Mail.app as "questionable" for having trusted this digital signature.

First, a kludgy little trick I learned in OS X. Do you know how to read the certificate authorities that Apple has shipped with Panther? The certs are stored in /System/Library/Keychains/X509Anchors and /System/Library/Keychains/X509Certificates, and you may use Keychain Access to read these files. In Keychain Access go to File -> Add Keychain... and point to one of these files. I should add the caveat that I have always made a copy of these files first because I don't know how robust Keychain Access is or if this functionality is supported by Apple. (Another way to access these files is the command line certtool utility. See "man certtool" for some surprisingly detailed documentation.)

So if you open up the cert authorities, then you will find that the DoD certs are already installed on your system! This is why Mail.app trusted the digital signature from the DoD. Your windows box probably did not have the DoD cert installed (I know win2k does not, but I am not sure about XP).

Why are these certificates already there? Because Panther is supposed to have CAC card support built in! I have not seen it for myself, but you can find some tools under /usr/libexec/SmartCardServices. Panther is supposed to support smart card logins, and I assume that a smart card's certificates can be used with Mail.app or Safari. There is a detail-free article on Apple's web site, http://docs.info.apple.com/article.html?artnum=152235, and I would love to find out more.

Interesting! I checked and sure enough, OS X trusts a bunch of DoD root certification authorities. Who would have thunk it? Thanks, Daniel.


Former URL: http://weblog.infoworld.com/udell/2004/03/22.html#a949