Trying to set up encrypted mails but I'm confused about certificates and keys
Hello all, My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far:
He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this.
I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not?
As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key.
Thanks in advance. Stuart.
All Replies (5)
Stuart, I am not an expert in that area, but I've been reorganizing some of the support articles and offer the following for further reading: https://support.mozilla.org/en-US/kb/configuration-options-security https://support.mozilla.org/en-US/kb/configuring-certificates
If those don't help, come back
Hi Duggabe, Thanks for the reply (and for your work on Mozilla). Unfortunately no, those links didn't really help. If I knew what I was trying to do, they would help me to do it... but I haven't got to that point yet!
If you or anyone else can help further, that would be great.
Thanks. Stuart.
Stuart,
I'm confused too ;)
Mark this as 'not helping'. Then if you don't get another answer soon, you might request that it be 'elevated'.
In case it's useful to someone else... this blog post (http://iqsecur.blogspot.co.uk/2012/06/complete-guide-to-encrypting-and.html) was really useful!
Stuart8, good find, that article.
I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.
Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.
Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.
Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.
I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.
Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )
In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-(