|STDI Consulting Inc.|
Mississauga Ontario, Canada
|First published on September 28, 2011 |
|Securing your email with a Digital ID|
Add an electronic signature to your email and encrypt the message for privacy.
Please note, this information is based on 2013 and earlier software. While the basics may still be the same, you will need to consult the software documentation for the current releases.
Security and confidentiality are the top reasons for signing email with a digital certificate.
The electronic signature is unique to the data. An alteration invalidates the signature. Both parties can be sure that the message including attachments is unchanged.
The senders (originators) key is used to add a signature to the data. This signature uniquely authenticates the sender. The recipient can be confident that the data was composed by the sender.
Send and receive encrypted email. The exchange of encrypted email requires that both parties use a digital certificate.
We will explain all three issues in more detail, but first we preview what this document will cover. Click here to skip all introduction and start with the configuration.
If you are using a web based email system like Gmail, Yahoo, Hotmail or Outlook Express that comes with Microsoft Windows, you are out of luck and we suggest that you upgrade to IBM Lotus Notes. Read about some very compelling reasons in this document Messaging and Collaboration for Small Business. When using Outlook Express, also keep in mind that this is no longer supported in Windows 7. Microsoft is abandoning Outlook Express in favour of Microsoft Live, a hosted web based system.
This document focuses on messaging using IBM Lotus Notes and Domino (Notes is the client interface, Domino is the server). If you are considering to migrate to IBM Lotus Domino, we can help you. One of the many reasons to use IBM Lotus Notes is the ease of using digital certificates for web based email. No matter is you use a mobile device, a browser or the native Lotus Notes client, you can secure your email with a digital ID.
How do digital IDs work?
As we have seen above, a digital ID secures information. To be of any value, it should be supported by about all manufacturers. The public key infrastructure (PKI) using an x.509 certificate is exactly that, a well defined standard supported by all manufactures. Refer to Wikipedia for more details.
The digital ID has two parts, a private key and a public key. The private key is a digital crypto key which has to be protected at all times. Anyone having access to your Private Key could claim your identity. The public key is the counterpart to the private key. Data that is protected with the private key, must be validated with the public key and vice versa. The public key can be freely distributed.
For the digital ID to work, signature or encryption, it is important that your email partners are in possession of your public key. The public key is attached to every signed message. This makes distribution of the public key a breeze.
There is one more important component in this process, the Certificate Authority. You already know and use their services when you access a secure website. The digital ID for email is similar. You buy a certificate for your email. The Certificate Authority will add their certificate to your certificate which makes your certificate a "trusted certificate". This trust relationship was initially established as secure and is included by default when you setup your computer. The included Certificate Authorities are VeriSign, Entrust and Cybertrust to name a few.
Where are the digital IDs kept?
The digital IDs (or certificates) are kept in different places. Microsoft Windows uses the Certificate Store. Applications can (or could) access the information to authenticate. Internet Explorer for example uses the Certificate Store to validate secure website. If you are using Mozilla FireFox, then the certificates are stored in Mozilla FireFox. Updates to certificates in Mozilla FireFox DO NOT automatically update the Microsoft Windows Certificate Store.
IBM Lotus Notes keeps the digital ID in the Notes ID file (aka User ID). The Notes ID is based on the X.509 standard since the introduction of Lotus Notes well over 15 years ago. The Notes ID file is in your Notes Data Directory when you use the Lotus Notes Client and in the users mail file when you use iNotes. Keep in mind that certificate changes to the Notes ID file do not automatically update the Microsoft Windows Certificate Store.
There will be examples how to move the Digital IDs from one place to the other later in this document.
Why is the Message content secure?
A digital signature uses the message content to generate a unique key. Even a one character alteration in the message will result in a different signature. Therefore, The content of a message can be trusted when the signature validates without an error. This process is done by the email system, so it does not require any recurring actions on your part. Signing all sent message can be configured as the default, so again, there is no recurring action required.
How can the recipient be sure that the message really came from me?
Always remember, the private key has to be kept secure. It is the private key that defines your identity, or better, your email identity. Your email address is part of the key. When you generate the Digital ID with an email address, you MUST send and sign the email with this exact same email address. There is a difference between and even so you may receive mail under either of the names. Only the actual email portion is critical, you can still customize the display name that appears in quotes before the address.
Why encrypt a message?
To protect the confidentiality and your privacy. When you send an email today, ANYBODY can read the message. This could be a person that gets hold of your computer or laptop, a backup file which was secured on a CD or memory stick, during transmission when a message was intercepted, on a disk of an outdated computer and the list goes on.
Message encryption does protect the email in transit as well as on the server, desktop or laptop computer. Not even a Super-Administrator can decrypt the message unless they have access to your private key.
|I am always amazed how reputable organizations send email with very personal information to customers and partners.|
This is simply wrong.
As of today, there are not many financial institutions that could handle this very simple task. Not only banks, this also applies to Accountants, Insurance and Government Agencies as well.
|A few days ago I was at the bank to renew some of my Retirement Savings. The Account Manager asked for my email address to send statements and confirmation documents. I declined since the bank does not encrypt the email.|
Step-by-step: From ordering the Digital ID to signing your email
With the basics out of the way, we can look at the process from start to finish. In our documentation, we purchased a Digital ID from VeriSign using the Mozilla FireFox browser. Then export the certificate from Mozilla FireFox to keep a copy in a secure place (backup) and import the same certificate in Lotus Notes.
Purchase the Digital ID
Go to VeriSign at http://www.verisign.com. The options and layout on the VeriSign page may change over time. We try to keep this information here as generic as possible, that's why we don't show screen prints.
The order process will ask questions about the browser you are using. We use Mozilla FireFox in our examples. It is important to use the same browser from start to finish.
|Goto Products and Services and find the Digital IDs for Secure Email in the menu options. Click on the Buy Now button to proceed.||
|Look for the Learn More link further down the page. The link contains information about the Digital ID in much more detail than you can find here.|
In general, follow the prompts and fill out the order information. When it comes to the email address, it has to match your sending email address EXACTLY. You will eventually receive an email with pickup information. Again, follow the instructions there.
When we pickup the certificate, the process automatically installed them in the Mozilla FireFox Certificates.
The headings below explain the handling of certificates in all details. Read the ones that suit your needs.
Import and Export Certificates
|IBM Lotus Notes and iNotes.|
Steps to signing and encrypting your email
and read about importing and exporting the certificates or Notes ID
for the Lotus Notes desktop client and Lotus iNotes web client.
|IBM Domino Administration|
Read about cross certifying the whole organization here
Read about importing and exporting the certificates here
Read about importing and exporting the certificates here
Import the certificate and sign the pdf document here