[Cryptography] Size of the PGP userbase?

Jerry Leichter leichter at lrw.com
Thu Dec 12 16:28:10 EST 2013 

On Dec 12, 2013, at 11:54 AM, "Christian Huitema" <huitema at huitema.net> wrote:
(Issues with using S/Mime - or PGP - with Outlook.)

Out of curiosity, I decide to see how this worked in Mail.app, which has built-in support for S/Mime.  Incoming support for signed messages is easy:  When a signed message arrives, the Mac automatically downloads the necessary certificate, installs it in your Keychain, and adds an indication to the mail.  I've never received an encrypted S/Mime message, so I don't know the flows in that case.

As for sending signed mail, it's easy to find an Apple article - http://support.apple.com/kb/PH11790?viewlocale=en_US - telling you how to send a signed or encrypted message.  It has a link to an article telling you how to install a certificate in your keychain.

Unfortunately, it gives you no hint about how to actually *get* such a certificate.  Most users would probably get stuck at this point.

For those willing to do a bit of work, a quick Google search for "get mail signing certificate" led me to Comodo, where it was fairly straightforward to create a certificate.  After confirmation, you end up at a page that tells you it's trying to download and install your certificate.  But it just sits there - I don't know if the "and install" part can work on a Mac at all, or whether it only works because I disable "open safe files automatically".  But eventually I figured out that it had downloaded a small .p7c file.  I tried all the recommended ways to add it to Keychain.  From the GUI, nothing seemed to happen.  Using the command line "certtool" utility, I was able to get an error message claiming that the file had "Bad PEM formatting" and an abort.  Except, as I found out much later ... I had, somewhere along the way, already added the certificate.  (A discussion on the Comodo website shows that others have had the same problem for months; no solution was given.)

Since the Comodo certificate seemed not to work, I went back to my search and found CACert.  I again created and download a certificate; this one seemed to install just fine.

Unfortunately, though, Mail doesn't see the certificates.  I tried repeatedly to sign this message - including along the way marking my CACert certificate, and the CACert public CA certificate, as trusted from Email (as the Mac considers it an unknown certificate authority otherwise).  (The Mac already trusts Comodo.) The option to sign just fails to appear.  Of course, this being a Mac, when you use the GUI you get no error messages.  (There's nothing in the system logs either.)  "It just works" or "It just doesn't work" - nothing in between.

Summary:  On the surface, the Mac provides easy-to-use support.  But when you actually try to enable it, it fails in a way that is certainly beyond the ability of most users to fix - and even being quite knowledgable about this stuff, after 1/2 an hour or so of trying, I gave up.

I suspect the Mac implementation works very well when someone sets up certs for end users; just using them is easy.  But for the ordinary user trying to get going on his own, the problems are probably insurmountable.

                                                        -- Jerry

More information about the cryptography mailing list