S/MIME & Certificates

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a protocol that adds digital signatures and encryption to MIME, the standard format used to send email and attachments. This technology allows you to encrypt emails on the fly, and you can also “sign” messages electronically.

Encryption means you can make sure that nobody except the intended recipient can read them and that they cannot be tampered with unnoticed during transit. Digital signatures attached to email prove two things:

• That the mail has been sent by the email address that claims to have sent it.
• That the mail has not been tampered with while it was in transit.

A digital signature doesn’t necessarily prove that an email comes from you as a person, only that it came from a given email address. A third party (commonly called a Certification Authority, or CA) is required to assert and “guarantee” your identity.

X.509 Certificates

In order to digitally sign and encrypt messages with S/MIME, you must have a certificate that associates your email address with your identity. Digital certificates act as unique fingerprints to help prove senders’ authenticity and allow you to sign your email messages digitally. You transmit your digital certificate—a secret key, which is a series of seemingly random letters and numbers—along with your email messages, and you receive others’ certificates along with theirs.

Digital certificates are issued by organizations that guarantee their certificates’ trustworthiness, and that the Internet community considers reliable. Valid certificates prove that senders actually own their email addresses, but not necessarily that they are who they say they are. (For example, just because I own a certificate for the email address stevejobs@hotmail.com, that doesn’t prove that I’m Steve Jobs.) With proper certification—such as a notary validating the person’s identity—signatures may be able to prove that a mail is sent by a specific person, but initially, the CA only has limited means to check that you are who you claim to be.

Obtaining a free certificate

I recommend getting a free personal email certificate from Thawte, a division of VeriSign. You must first establish an account, then request a certificate. Detailed instructions for these two steps are given below.

Registering With Thawte.com

1. Open Safari and go to the Thawte’s Personal E-Mail Certificates page.
2. Click “Join”. (A new window will appear.)
3. Read the Terms and Conditions, then click “next”.
4. Enter your name and birthdate, then click “next”.
5. Enter the email address to be used as your Thawte ID and click “next”. Do not misspell it here!
6. Adjust your language and charset settings if desired, then click “next”.
7. Choose a password according to the provided guidelines, then click “next”.
8. Select and complete 5 question-and-answer pairs, then click “next”.
9. Confirm the information presented, then click “next”.
10. To complete your registration, follow the instructions in an email sent to the address you specified.

Getting a certificate set up

1. Open Safari and go to the Thawte’s Personal E-Mail Certificates page.
2. Click “Login” and enter your Thawte ID and password.
3. Make sure the email address for which you want a certificate is listed by clicking “my email” in the left sidebar menu. If not, click “new email address” and follow the steps.
4. Select “certificates” from the left sidebar menu.
5. Select “request a certificate”.
6. Click the “request” button under “X.509 Format Certificates”. (A new window will appear.)
7. Select “Mozilla Firefox/Thunderbird, Netscape Communicator/Messenger” and click “request”.
8. Click “next”.
9. Select the email address you want the certificate for (you can have multiple on file) and click “next”.
10. Click “next”.
11. Click “accept”.
12. Select “2048 (High Grade)” from the drop menu and then click “next”.
13. Click “finish”, then close the window.
14. You will receive two emails in succession—the first notifying you that you have requested a certificate, and the second (several minutes later) notifying you that the certificate has been issued. To download and install the certificate, click the link in the second email. This will initiate a download of a file to your desktop. Keychain Access will recognize this file and will automatically load the certificate into your keychain. (This work for Tiger; Apple has a guide for adding a certificate to your keychain in Panther.)

Be sure to back up your certificate, because you won’t be able to download it again. If you lose it, you’ll have to revoke it and request a new certificate, which is a pain and not wholly reliable because not everyone abides by certificate revocation lists. (In short, it’s easier to cancel a credit card than completely revoke a certificate.)

(While it is possible to use S/MIME in most other Mac email clients, I haven’t yet found any easy setup instructions. That’s not to say none exist, I just haven’t found any.)

Signing mail

After retrieving your certificate and verifying that it’s in your keychain, it’s time to relaunch Mail. Now that you have a certificate, Mail automatically allows you to send digitally signed emails. At the very right of Mail’s New Message window header, you’ll see a star icon. Click on it to toggle the signature off and on.

Mail automatically sends your certificate information along with any messages you digitally sign and/or encrypt. Send a digitally signed message to another user who has Mail (in Mac OS X 10.3 or later), and your certificate is added automatically to that user’s Keychain. If your friend uses another email client that supports such certificates (most modern email programs do), it will most likely manage the certificate in a similar manner. If your friend uses a Web-based email service, he or she will see this certificate as an attachment and won’t be able to use it within the Web interface.

Receiving signed messages is also transparent in Mail, unless the message encounters a glitch along the way. Each message will contain a Security header that says whether it is signed or encrypted.

If you receive a message that has been altered after it was sent, Mail displays a conspicuous message saying that it is unable to verify the message signature. That means either someone has fiddled with your message in transit or the message got corrupted. Your best bet is to contact the original sender to make sure that they sent the message, and verify that you have an up-to-date copy of their certificate.

Encrypting mail

Encryption scrambles a message and any attachments for people who don’t have the correct digital certificate. Senders use recipients’ certificates to encrypt email; recipients use their own certificates to decrypt the messages. You can use Mail to send an encrypted email to another person whose certificate in your keychain. (Encrypting is only possible if you already have the recipient’s certificate. Keychain Access automatically picks up any certificates of people that send you S/MIME signed emails.)

To encrypt, open a new message in Mail, address it to the person, and then click on the Encryption icon (a lock) at the right of the message window’s header.

Your entire email and any attachments will be encrypted. When the recipient opens the message, they will be able to read its contents and save any files you sent without doing anything special. (If anyone else intercepts the message, that person will see gibberish.) If the message gets corrupted or changed in transit, or if there’s a problem with the recipient’s certificate, they will see the message “Unable to decrypt message”, in which case the recipient may need to check that they have an up-to-date copy of your certificate.

Web of trust notaries

Like most Certification Authorities, Thawte has a system for increasing the trust of your identity once you have registered with them. One of the benefits of this is that after appearing before and being notarized by a certain number of people, you can put your full name in your email certificates, rather than a generic placeholder. Obviously, having your name associated with your email adds a level of authenticity. (This can be done even before you request a certificate, which can help avoid confusion over which certificate is valid.)

Thawte’s web site includes a section on their Web of Trust. When you are logged in, you can browse a list of notaries that can assert your identity and assign points to help you towards this goal. For example, here is a list of notaries in the Provo, UT area. Most notaries are helpful and willing to assert your identity and assign you points. I am also a notary in Provo, and would be happy to help.

The Thawte notary process is also fairly simple. First, you must provide a national identification number, and this will be ID that you must present to each notary, as well as provide a copy for them to retain for their records. Second, when you visit a notary, you must first go online and allow them to view your details. (There is a link for this under each notary in the directory.) This allows them to verify your information online and make an assertion about your identification. Third, once the notary has asserted your identity, you will receive