e-Mail security

Some people that get e-Mail from me may note that the message is "digitally signed."   Digital signing is one part of a system that provides e-mail security.   It means that the message is guaranteed to be from me, and that the message has not been altered in transit.   It also means that I can not deny that the message was sent by me.   In computer technospeak it provides authentication verification, and non-repudiation.  .

The fourth part of e-mail security is privacy and that is not guaranteed by simply signing the e-mail.   Privacy is addressed by encryption and encryption is dependent on a somewhat more complex use of the same technology.

Now, there always have been reasons to keep mail private.   In ages past, one could get rid of letters simply by throwing them into the fire.   e-Mail is different.   It is stored forever on the servers it has passed through.   The owners of those servers can turn over your e-mail to anyone, without bothering to notify you.   I am sure you have never done anything wrong, suspicious, or even shady.   So, what about that comment about your boss, that stock transaction, political joke or whatever that you just don't want the whole world to know about? The e-mail solution is encryption.

Ordinary e-mail is like sending a postcard.   Encryption is more like placing your mail in an envelope.   It does not guarantee that the e-mail can not be read by a third party, it only assures that it will be very hard to do so.   For example. it might take a month or even a year to decode the e-mail without the proper key.

By signing the message I have included my public encryption key as well.   A conforming e-mail client (one that noticed my e-mail was signed) will save my public key automatically.   It means that the recipient of the message can now communicate with me privately, using encryption, instead of on a postcard that anyone can read,   If you also have a public key, I can send private e-mail to you as well.

Ok, supposing I have your attention, and you would like to put e-mail in an envelope, how do you start?   The first thing you need is an e-mail client that supports S/MIME (Secure/Multipurpose Internet Mail Extensions).   Most e-mail clients do but most web based e-mail does not.   Some mail servers support both client and web based mail which makes it easy.   GMAIL is a problem.

Once you have a compliant e-mail client you an e-mail certificate from some certificate authority.   Mine is from COMODO.COM, but there are others.   They often provide free class 1 certificates which you download and install in your mail client.   Class 1 certificates prove that you own an e-mail address, but do not guarantee your identity.   Higher class certificates guarantee your identity, your employment, even your government clearance, but cost money and require proof of identity.

Once you have a certificate, send me a signed e-mail.   The signed e-mail provides your public key.   That allows me to send encrypted mail to you.   When I send you a signed e-mail you have my public key and will be able to send encrypted e-mail to me.   After that, we will have authentication, verification, non-repudiation, and privacy.   Would that it be the way of the world.   Most people do not even think of e-Mail security and would not have any idea why they would need it.