Sign and encrypt your mail

by Volker Weber

If you are communicating with Skype, all your traffic is encrypted. Your email probably isn't. And your AIM communications neither. I think it is about time to get some security into your communications that we have taken for granted as Notes users for years. It won't even cost you anything. Here's how it works:

Start by getting a free Thawte certificate and add it to your key ring. Use Firefox to obtain the certificate and go to Preferences/Advanced/Manage Your Certificates and export the certificate to a .p12 file that you can import into your Notes.id, your Mac keychain or wherever you need it.

The basic certificate is free and certifies nothing but your email address. Once you added the certificate to your mail program, you can sign mails. When you receive signed mails from others, your mail program can use the attached public key to encrypt your reply. Some mail clients like Outlook or Apple Mail will store the public key automatically, others like Lotus Notes require user action.

seal_wot.gifWhen you get your ID notarized, which again is free but takes some work, you can add your name to the certificate. This is actually pretty easy. Every Thawte notary can assign you between 10 and 35 points. You need 50 points to be trusted, which lets you add your own name, and you need 100 to become a notary yourself. Quick math: You need at least 2 notaries to be trusted and 3 to become a notary. This is how the web of trust grows.

The notary needs to see your ID you used to sign up and will make a copy of that for his files. In many cases you need two photo IDs that the notary copies. It is good practice to bring a copy when you have your certificate notarized.

I collected 140 points from 4 notaries today. It took me less than 5 minutes because they were all in the same office. Now I have not only trusted status, but will also be able to notarize others.

Update: Olaf asked me why I am recommending Thawte and not the free class 1 certificate from Trustcenter. Answer: I have given up using Trustcenter.de 18 months ago.

Comments

PGP, GPG, whatever. Web-of-Trust since a decade or so. Distributed. Autonomous. Not dependent on CA infrastructure and root certificates. Compartmentalization at its best.

From a security standpoint, there's not much left to add, don't you think?

Regards,
/k

Karsten W. Rohrbach, 2004-12-14

I'm with Karsten on this one. The top-down structure of X.509 certificates is just a nuisance. Thawte, for instance, is either clumsy or impossible with multiple email addresses. The Thawte Web-Of-Trust approach seems new since I last acquired a certificate there. I know that one can provide one's own 'Country ID' to them, but after previous dealings with Verisign (who own Thawte) they are the last people I would trust.

The sort of community created by blog comments is a good starting point for a web-of-trust, though.

I was never able to get a Trustcenter.de certificate working, either.

And if you're put off by the fee for the current version of PGP, the GPG implementation (at least for Apple Mail) is very good, with the exception of the keychain. I'm hoping that the next version of OS X Keychain solves this.

It has been some time since I acquired a Thawte X.509 certificate, but doesn't the current version of Safari properly import them?

One slight downside is that (put on your tinfoil hat) your email traffic is probably tracked by your national security agency if it is encrypted and it passes through a G7 country. It certainly can't be decrypted in real time, and probably not at all, but it is being watched. If most people encrypted mail, and not just the bad guys, this would cease to be an issue, though.

Final comment, on Lotus Notes. Lotus has offered, for over a decade, something called the Defense Messaging System. It is basically a subset of Notes/Domino that has been audited and tweaked (correct me if I'm wrong Ed B.), and was once, and probably still is, used by the C.I.A.

David Richardson, 2004-12-14

In support of Davids statement, there is a very nice GPG based plug-in for Thunderbird/Mozilla named enigmail. It is quiet easy to install and works flawlessly. From there, you can create your own web of trust.

You can check it out at
http://enigmail.mozdev.org/ and
http://www.gnupg.org/.

Thomas Nowak, 2004-12-14

Yes, PGP is a nice thing. However, I did not want to start a VHS vs Betamax discussion. The world I work in has moved down the X.509 route and not the PGP route. So I am trying to find a workable solution there.

Volker Weber, 2004-12-14

A comprehensive encryption link-list:

http://deep-resonance.org/2004/12/05/pgp-gpg

Michael Seidlitz, 2004-12-14

I have a Thawte Certificate in my Notes-IDs for about 4 years now. From the very beginning I remember the Web Of Trust concept, just I could never get a hand of a Notary in my vicinity.

How about we set up a notarization session at Lotusphere?
Volker, I'd be happy to bring two photocopies of IDs to Lotusphere so you could notarize me there, if that works for you.
Any other notary going to be at Lotusphere and willing to notarize people?

Ragnar Schierholz, 2004-12-14

There should be one notary in Sargans. But, yes, I can notarize you in Orlando.

Volker Weber, 2004-12-14

blöde Frage Volker: Wo genau auf der o.g. Seite bekomme ich das Zertifikat her? Ausser einer Beschreibung finde ich nix ... kratz

Robert Basic, 2004-12-14

Try http://www.thawte.com/email/index.html, click the 'Join' button which show top left. You will be guided to the web of trust later on.

Ole Saalmann, 2004-12-14

Das [ : enroll : ] beisst Dich gleich in die Nase.

Volker Weber, 2004-12-14

That's the point, Sargans is too much of a distance just to show my ID (in my taste). But Zurich seems to show a risen number of notaries as well and that's a location where I pass through a lot more often than any other city in Switzerland.
Looks like I might be able to finally become notarized in a reasonable time frame. :-)

Ragnar Schierholz, 2004-12-14

@Ole, thx

@Volker: Nee, leider nicht, da kam nur ne Passwortabfrage Box :-(

Robert Basic, 2004-12-14

I have tested the Thawte procedure to obtain a certificate and i must say it is absolutely b*s :-))

Robert Basic, 2004-12-14

Despite my previous comments, there is a place for both methods. X.509 certificates are handled seamlessly by most popular email clients on all operating systems. So, no extra software to install.

Also, your public key is usually transmitted via email, so no key-servers to configure or search. I find myself working on a project requiring digital signatures in PDF documents - Acrobat also supports X.509 keys for document signing.

My first Thawte certificate was a test for my Hotmail spam account. Now, the Thawte process thinks I'm the Hotmail account (the browser identifies itself using X.509, as well), and doesn't seem to provide a way to switch email accounts that works for me. In fact, I regularly use multiple email accounts. If anyone else has solved this problem, please post.

David Richardson, 2004-12-14

Well I made my first Thawte certificate today and i found the option to create digital sign's for multiple email accounts.

My Problem is that there's only one notary in my town.
So I thought about get signed by the Trusted Third Party Program (TTP).

Had anyone tested this TTP method?

Karsten Vieth, 2005-09-23

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe