Annoyance of the Day: S/MIME and Mac Mail

S/MIME has what in my opinion is a flaw: There’s no authentication of the time that a message is sent. As far as I can tell, there’s not even any proposed extensions out there trying to fix this. As a result, when one signs an email message with a valid certificate, and then the expiration date of the signing certificate passes, one gets an error when one then later tries to read the email message, as the authenticity of the message can no longer be verified. (Signed code doesn’t have this problem, as the signer can have a third party add a signed timestamp to the code signature, so that the code can still be verified as having been signed by a valid certificate as of the date of the signature, even after the certificate’s expiration date.)

The practical upshot of that is, then when using S/MIME to sign one’s mail, one wants to renew the certificate and start using the new certificate a couple months before the expiration date of an older certificate. You want people that you email to be able to authenticate that your messages are genuine for at least a couple months.

So, for this period of at least a couple months, one would have two valid personal certificates installed on one’s system, the old one that expires in a couple months, and the new one (that would typically expire in a year). When sending email, one would pretty much always want to be signing with the newest certificate that has the latest expiration date. But, one wants to have both installed, in order to be able to decrypt messages sent that were encrypted to either key.

Mac Mail (and/or Mac Keychain Access, which it uses) doesn’t seem to see things that way. In Apple’s characteristic style, signing mail “just works” and there are no options to configure it. In particular, it just uses the first signing certificate that’s installed which is valid for the sending email addresses. And by “first signing certificate”, I mean the one that was installed first, which is going to be the one with the soonest expiration date.

So, whenever I renew my certificate and install the new one, I need to go into Mac Keychain Access, export the old certificate, delete it from the Keychain, and re-import it. That way, the old certificate is no longer the first signing certificate, and Mac Mail signs using the correct newest certificate that has the latest expiration date.

This is a real shame, because in most ways Mac Mail’s handling of S/MIME is just perfect, since it does “just work” without any configuration. I just needed to get this annoyance off my chest. Thank you for reading.