'Security problem' with Entourage 2004 & digital signature

R

Richard Kempe

I'm having a small problem when signing messages with my Thawte
X.509 certificate in Entourage 2004 (I'm running OS X 10.3.4).

The problem is simply this: when Entourage performs its 5-point security
check prior to sending a message it reports that my outgoing messages
have a 'security problem' in that they've failed to meet the second criterion
of the check -- 'You do not trust the signing digital ID'.

I've checked my certificate in the Keychain and ensured that its trust settings
are set to 'Always Trust', but this has made no difference at all.

Friends using Outlook Express under Windows XP have reported that my
mail shows up at their end as having a 'security problem' and they're unable
to reply to it.

I'd really appreciate any suggestions/helpful hints anyone may have to offer.
 
C

Chris Ridd

I'm having a small problem when signing messages with my Thawte
X.509 certificate in Entourage 2004 (I'm running OS X 10.3.4).

The problem is simply this: when Entourage performs its 5-point security
check prior to sending a message it reports that my outgoing messages
have a 'security problem' in that they've failed to meet the second criterion
of the check -- 'You do not trust the signing digital ID'.

I've checked my certificate in the Keychain and ensured that its trust
settings
are set to 'Always Trust', but this has made no difference at all.
Click to expand...

I'm not sure if those popups actually set anything persistent.
Friends using Outlook Express under Windows XP have reported that my
mail shows up at their end as having a 'security problem' and they're unable
to reply to it.

I'd really appreciate any suggestions/helpful hints anyone may have to offer.
Click to expand...

Does importing Thawte's signing cert into your X509Anchors file help at all?

Cheers,

Chris
 
R

Richard Kempe

Thanks for your response, Chris.
I'm not sure if those popups actually set anything persistent.
Click to expand...

Short of venturing into UNIX and editing the certificate's trust settings where
else would one accomplish this? In any case, the settings _do_ seem to
persist -- they don't revert to 'Use System Settings' on quitting from
Keychain Access.
Does importing Thawte's signing cert into your X509Anchors
file help at all?
Click to expand...

I wouldn't have the first clue -- either how to import the certificate, or
whether it would help. (I'm inclined to think, however, that it may already
have been imported.)

Regards,

Richard
 
B

Barry Wainwright

Friends using Outlook Express under Windows XP have reported that my
mail shows up at their end as having a 'security problem' and they're unable
to reply to it.
Click to expand...

Yes, they can reply.

First, they get the warning because they do not have the root certificate in
their installation, so they can't trust yours.

Next, they would still have the same problem replying to you even if they
could trust your signature. By default, OE in Win XP (and other versions) is
set to sign replies to signed messages. If they haven't got a signature,
winOE still (stupidly) tries to sign the reply, but of course it fails
(because they haven't got a signature set up!).

In the toolbar for the reply message in OE, there is a button to select
digital signing on that particular message. Your users on winXP just need to
learn how to push this button to deselect message signing before sending -
it will then go through just fine.

Aren't you glad you use a mac :)
 
C

Chris Ridd

Thanks for your response, Chris.


Short of venturing into UNIX and editing the certificate's trust settings
where
else would one accomplish this? In any case, the settings _do_ seem to
persist -- they don't revert to 'Use System Settings' on quitting from
Keychain Access.
Click to expand...

To be honest I've not played with those popups much.
I wouldn't have the first clue -- either how to import the certificate, or
whether it would help. (I'm inclined to think, however, that it may already
have been imported.)
Click to expand...

Unless you have the certificate that signed your cert somewhere (and maybe
it doesn't have to be in X509Anchors, see below), you can't *really* trust
it, and I could see why Entourage barfs when trying to sign your mail.

Do you have Entourage set to include your cert in the message?

I've got two mail accounts, and have a key pair for each account. The
account I'm using for news has a Thawte Freemail certificate. Using Keychain
Access.app I can see (in my login keychain) 4 certificate "items": one
"Thawte Freemail Member" which is issued to me, one "Thawte Person Freemail
Issuing CA" which is the thing that signed the first cert, and a similar
pair of certs for my other account (which uses our in-house CA.) I have two
private key "items" which I hope correspond to my two user certificates.

If you want to experiment off-list, feel free to email me. I'll sign my
reply :)

Cheers,

Chris
 
W

Walt Basil

I'm having a small problem when signing messages with my Thawte
X.509 certificate in Entourage 2004 (I'm running OS X 10.3.4).

The problem is simply this: when Entourage performs its 5-point security
check prior to sending a message it reports that my outgoing messages
have a 'security problem' in that they've failed to meet the second criterion
of the check -- 'You do not trust the signing digital ID'.

I've checked my certificate in the Keychain and ensured that its trust
settings
are set to 'Always Trust', but this has made no difference at all.

Friends using Outlook Express under Windows XP have reported that my
mail shows up at their end as having a 'security problem' and they're unable
to reply to it.

I'd really appreciate any suggestions/helpful hints anyone may have to offer.
Click to expand...

See this tutorial. You may find something that you left out.
<http://www.basilweb.net/macoffice/digid1.html>

--
Walt Basil
www.basilweb.net

My Office site:
<http://www.basilweb.net/macoffice/office.html>

You can email me at (firstname)AT(lastname)web.net
 
W

Walt Basil

See this tutorial. You may find something that you left out.
<http://www.basilweb.net/macoffice/digid1.html>
Click to expand...

In addition, someone mentioned here once that the free Digital ID that
Thawte hands out uses a generic Thawte freemail e-mail address, not your
own. If that's the case, then there will always be a problem in the
security, specifically, the check for "The digital ID's e-mail address does
match sender's" will fail. You'll see this when you "view details."

--
Walt Basil
www.basilweb.net

My Office site:
<http://www.basilweb.net/macoffice/office.html>

You can email me at (firstname)AT(lastname)web.net
 
B

Barry Wainwright

In addition, someone mentioned here once that the free Digital ID that
Thawte hands out uses a generic Thawte freemail e-mail address, not your
own. If that's the case, then there will always be a problem in the
security, specifically, the check for "The digital ID's e-mail address does
match sender's" will fail. You'll see this when you "view details."

--
Walt Basil
www.basilweb.net

My Office site:
<http://www.basilweb.net/macoffice/office.html>

You can email me at (firstname)AT(lastname)web.net
Click to expand...

Thawte's free mail certificates work fine - they only use a generic 'display
name' (until you have accumulated enough 'points' to qualify for a proper
name), not 'email address'. I have a thawte cert for each of my email
addresses and there is no problem verifying them.
 
C

Chris Ridd

In addition, someone mentioned here once that the free Digital ID that
Thawte hands out uses a generic Thawte freemail e-mail address, not your
own. If that's the case, then there will always be a problem in the
security, specifically, the check for "The digital ID's e-mail address does
match sender's" will fail. You'll see this when you "view details."
Click to expand...

I just checked my Thawte Freemail cert, and this is not the case. The
subject DN is <emailAddress=my address,cn=Thawte Freemail Member>.

Cheers,

Chris
 
R

Richard Kempe

-----Original Message-----
I'm having a small problem when signing messages with my Thawte
X.509 certificate in Entourage 2004 (I'm running OS X 10.3.4).

The problem is simply this: when Entourage performs its 5-point security
check prior to sending a message it reports that my outgoing messages
have a 'security problem' in that they've failed to meet the second criterion
of the check -- 'You do not trust the signing digital ID'.
Click to expand...

Many thanks to Chris, Walt and Barry.

With hints garnered from your responses to my original posting I now seem
to have solved my trust problem.

It appears (and I'm only speculating here, but I think I may be fairly close to
a valid explanation) that Entourage wasn't 'seeing' my Thawte root certificate
(the certificate of the CA responsible for issuing my personal certificate, and
upon which its trust is based) despite the fact that it was present in my User
Keychain.

In fact, both the root certificate and my personal certificate were present in
my User Keychain, and my personal certificate was also present in a newly
created Keychain named 'Microsoft_Entity_Certificates'. I tried copying the
root certificate to M_E_Certs as well but that had no effect. However, when I
also placed copies of both certificates in the _other_ Microsoft Keychain,
'Microsoft_Intermediate_Certificates', the problem disappeared --
Entourage no longer reports a 'security problem' concerning my trusting my
own digital signature.

I haven't explored all the permutations and combinations relating to which
certificate(s) _must_ be in which Keychain(s) to enable Entourage to find
them but I now have both my root certificate and my personal certificate in
three places:

my User Keychain,
the Microsoft_Intermediate_Certificates Keychain, and the
Microsoft_Entity_Certificates Keychain.

Thanks again to you all for your assistance in solving a small but annoying
problem.

Regards,

Richard
 
C

Chris Ridd

I haven't explored all the permutations and combinations relating to which
certificate(s) _must_ be in which Keychain(s) to enable Entourage to find
them but I now have both my root certificate and my personal certificate in
three places:

my User Keychain,
the Microsoft_Intermediate_Certificates Keychain, and the
Microsoft_Entity_Certificates Keychain.

Thanks again to you all for your assistance in solving a small but annoying
problem.
Click to expand...

The Thawte Freemail certs are slightly unusual because they're not signed by
a root certificate. The cert that signs them is itself signed by a root
certificate. This is a perfectly legal thing for Thawte to do.

So you have these certs:

Thawte Freemail Member (holding your email address)
[signed by] Thawte Personal Freemail Issuing CA
[signed by] Thawte Personal Freemail CA

You can use the MS Cert Manager tool to move the middle cert ("Thawte
Personal Freemail Issuing CA") into the "Intermediate Certificate
Authorities" keychain, which is the "Microsoft_Intermediate_Certificates"
keychain displayed by Keychain Access.

To move the cert you can export it from one keychain and import it to
another, all from within MS Cert Manager.

As a result Entourage no longer complains when asked to sign messages using
the Thawte Freemail keypair. It also correctly validates received messages
that are signed using the same keypair.

My system's not particularly clean now, so there may well be something else
you have to do.

Cheers,

Chris
 
Top