Using a Thawte Email Certificate with Outlook Express v1.0

How to encrypt your email turned into why encrypting your email is harder than it should be. So lets try again.

Step 1: Is your email client compatible?

First thing is that you have to have a stand alone email client. I am not aware of any Web Mail offering with S/MIME support to date.

Most modern email clients support S/MIME. Even PGP Inc. supports S/MIME. If you use Outlook, Outlook Express, Lotus Notes, Thunderbird or Opera your existing mail client supports S/MIME. The same is true for most Apple email clients. Even Eudora, after being more or less the lone hold out for ten years has native S/MIME support in its latest version (7).

Step 1a Why not PGP?

PGP is a fine security product. OpenPGP is an open standard based on the PGP protocol. The only problem is that relatively few email clients provide native support for PGP. So an explanation of how to use PGP or the open source GPG would also have to explain how to install it. If you can do all that you probably don't need these instructions.

Step 2. Public Key Cryptography 101.

To use S/MIME effectively it is best to know a little about what is going on under the covers. In particular you need to know about public keys and digital signatures.

Lets start with digital signatures. Imagine that you wanted to have a way of proving that you sent a particular email message that nobody else could forge. Since an email message is simply information the only way we can prove that we sent the message is if we add some extra information to the message, we call that a digital signature. If we are going to meet our anti-forgery requirement the information you add has to be special, it has to be information that anyone can check but only you can create.

The way we do this is with a type of cryptography called public key cryptography. In public key cryptography we use two keys. One key is kept secret, the other can be made public. The secret key is used for the operations that only you should be able to do, that is creating signatures and decrypting messages. The public key can be used by anyone to encrypt a message to be sent to you or to check your signature on a message.

Step 2a: Certificates

Public key cryptography allows us to know with certainty who sent a message and know with certainty that only the intended recipient can read the message provided that the sender and receiver know each other's public key. This is the hard part of the problem. This is the problem I have spent fifteen years working on.

The best answer to date is to use a digital certificate. A digital certificate is a statement that says something like 'The key for Alice is 183828....'. Who signs the certificate... well thats a long story. Suffice to say that the question of who signs certificates is loaded with several books worth of political technical and legal issues.

Step 3: Getting a certificate

There are several places you can get certificates. Thawte has the advantage of being free.

[Disclaimer: I work for VeriSign which owns Thawte, I am not speaking for either]

To get a certificate click on the button that says 'Join' and simply follow the instructions.

First you have to set up an account. There are several screens of forms to fill in, all pretty straightforward. Then they send an email message to verify the email address for the account.

Next you can apply for one or more certificates. This involves another set of forms. These are pretty straightforward because you have already filled in most of the information. The main oddity is that you have to respond to a second email to prove that you own your email address.

Once the application is done it may take some time before your certificate is ready. Mine was ready ten minutes later. Again follow the instructions and your certificate is ready to use.

Step 3: Configure your email client.

If you are using outlook you now need to open up the options dialog, select the security options tab and select the options to sign and encrypt email with your newly created certificate.

You can now sign and encrypt mails by selecting the message options tab and selecting 'sign mail' or 'encrypt mail'.

To send an encrypted mail you need to have the certificate of the person you want to send email to. Signing your email means that your certificate will be attached to every signed mail message you send. So the recipient can keep the certificate in their address book along with the rest of your contact info. The email client will then pull it up whenever an encrypted email is to be sent.

Step 4: Publish your certificate

Probably the best way to do this at the moment is simply to publish the certificate on a Web site.

Step 5: This should be easier

I agree, and I am working on it. There is a ridiculous number of moving parts the user is expected to be aware of. On a usability email list recently someone wrote the 'Top ten things users need to know about SSL', there were 19 entries and SSL is meant to be simpler than S/MIME.

This was put together in something of a hurry, I will try to redo it with some explanatory pictures, screen cams and so on.