S/MIME Maintenance in Windows Vista
Introduction
This document was created based on about five years of using S/MIME digital signatures and encryption in my day-to-day activities. It will serve as a primer for anyone who wishes to insure the integrity of their online communications. I will focus on two free digital ID providers, how to get started, my experiences in participating in Thawtes “Web of Trust”, and some drawbacks encountered with using S/MIME as well. I will also discuss S/MIME security, and compare S/MIME to some other email signing and encryption technologies in wide use today.
Overview
S/MIME (short for “Secure/MIME”) is a version of the MIME protocol that supports encryption of email messages and their contents by way of RSA’s public-key encryption technology. S/MIME was created in 1995 by a group of software vendors to prevent interception and forgery of e-mail, and since it builds on the existing MIME protocol standard, it can be easily integrated into existing e-mail and messaging products. Since S/MIME was based on existing widely supported standards, it is likely to continue to be widely implemented across a variety of operating systems and e-mail clients. For this reason, it is possible for a Windows operating system user with the Outlook email client to send a secure, digitally signed email to a Unix operating system user with the Netscape Messenger email client (for example) without installing any additional software.
Getting Started
To start using S/MIME, you’ll need to start by obtaining an email client that supports S/MIME. Since most people seem to use Outlook and Outlook Express, I will focus on these two email clients on the Windows operating system. I have also successfully configured and used S/MIME with the Netscape Messenger (part of Netscape Communicator) email client while using the Solaris operating system. Once you have installed your email client, you are ready to select a digital ID provider.
S/MIME Supporting Email Clients
Some popular email clients that support S/MIME are:
- Microsoft Outlook (Windows)
- Microsoft Outlook Express (Windows)
- Mozilla Thunderbird (Linux, Mac OS X, Windows, Solaris)
- Netscape Communicator (Windows, Solaris)
- Mail (Mac OS X)
Free Digital ID Providers
There are two popular providers of digital ID’s that offer free ID’s for personal use with email.
InstantSSL
Thawte
Since I have been using a Thawte digital ID for over a year now, I will focus on configuring S/MIME using a Thawte ID and add detailed instructions for using an InstantSSL ID later.
Certificates issued by Thawte say “Thawte Freemail Member” when opened, but by participating in the Thawte Web Of Trust (WOT), users can have their name added to their digital ID and included in their certificates for added trust and security. To do this, Thawte uses a system of points to establish trust. The points are on a scale of 0 to 100 and are obtained by seeking out Thawte Notaries who will confirm your identity and issue points to you via the Thawte website. Once a user obtains 50 points, new certificates issued are signed with their name. By continuing the process, a Thawte ID holder can become trusted enough to notarize ID’s themselves. To achieve notary status, a user must be verified by no fewer than three Thawte Notaries.
Obtaining Your Thawte ID
To request a Thawte ID, you will need to have a government issued photo ID or Passport. Your government has verified your identity, and the Thawte WOT will build on that. Each time you have your digital ID notarized, you will need to display your government issued photo ID so that the notary can compare your appearance to the photo on the ID and also examine the ID so they are reasonably certain that the photo ID is legitimate. The person requesting the digital ID must also be at least 13 years old.
To set up your digital ID, start by visiting the Thawte website at the following address:
- Start at the Thawte Personal Email Security web page.
- Select the “join” button on the left-hand side.
- Read the terms and conditions and click “next”.
- Provide your Surname, Given Name, Date of Birth, and Nationality, then click “next”.
- Provide your national identification card number in the field provided, and select the type of identification. Finally, enter your email address. The email address you provide will serve as your Thawte username. Click “next”.
- Set your language and charset preference, then click “next”.
- After reading about password security, set your personal password, confirm it, and click “next”.
- After reading about phone numbers, enter a telephone number where you can be reached in the event that you lose your password. Move on to read about question and answer pairs (used for retrieving forgotten passwords), fill out your answers, and click “next”.
- Confirm your enrollment information, and click “next”.
To complete the process, you will need to follow the instructions sent to you via email by Thawte.
Requesting Thawte Certificates
After creating your Thawte ID, you are ready to request a certificate. This certificate stems from your original Thawte ID, but is unique and applies only to one email address, on one email client, on one computer.
- Start at the Thawte Personal Email Security web page.
- Login (the button is on the left) using the username and password you used to request your Thawte digital ID.
- In the menu on the left, select “My Emails”
- Next, select “New Email Address” on the left menu and follow the instructions.
- Now select “Certificates” on the left.
- Select “Request A Certificate”
- Click the request button and follow the instructions.
- Select your email client and click “request”.
- Click next when asked to set employment information.
- Select the email addresses to be associated with this cert (for Outlook Express compatibility, select only one address per cert) and click “next”
- Click “next” in the “Strong Extranet Identities” window.
- On the “Accept Default Extensions” screen, click “accept”.
- Select your certificate provider (I use the default) and click the “Next >” button.
- In some browsers, you will now see a warning that the web site is requesting a new certificate for you – since this is to be expected, approve the request. In Internet Explorer, you can do so by clicking “Yes”.
- You will see a pop-up window with a button labeled “Set Security Level…”, click this button and select the “High” security level. Setting to High requires a password each time the certificate is used. Click the “Next >” button.
NOTE: The default is low/medium security. By setting the security level of your certificate to “high”, you will be required to type your password every time an email is encrypted or signed (after you get used to this, it really isn’t as annoying as it might seem – and it has saved me a few times from accidentally sending unfinished emails).
- Now you must create a password for this certificate and type it into the provided Password field. You will need to retype it in the Confirm field to ensure that you have typed the password correctly.
- Click the “Finish” button.
- Next click the “OK” button.
- Finally click “finish”.
- Click “next” to return to the Certificate Manager page.
- Thawte will email you once your cert is ready for download (it usually takes only a few minutes).
Installing Thawte Certificates
- The email should explain where to download it. Essentially you go to the Thawte web site (“View Certificate Status” under the “Certificates” menu when logged in – if you get lost) and click a link. A message box appears and says it’s installing the cert.
- Go into your mail client and compose an email. If you are using Outlook, you can set the message security in the message options (there is a button when composing). If you’re using Outlook Express, it’s in the Tools menu. You should be able to send me a signed and encrypted message right off the bat.
Configuring Your Mail Client
You may wish to make some small changes to your email client for a better S/MIME experience.
Outlook XP/2003
Signing All Outbound Messages
- Tools > Options…
- Click the “Security” tab.
- Check the “Add digital signature to outgoing messages” checkbox.
- Also check the “Send clear text signed message when sending signed messages”.
Back-up your Certificates
- Click the “Import/Export…” button.
- Select the “Export your Digital ID to a file” radio button.
- Click the “Select…” button.
- Choose the Certificates you wish to export from the list, then click the “OK” button.
- In the “Filename” field, type a filename for your exported certificate.
- To protect your exported certificates, enter a password and confirm.
- Click the “OK” button again.
- You will need to enter the password for your certificate at this time and click “OK” (do not check the “Remember password” checkbox – this will defeat the “High” level of security on your certificate).
- Click the “OK” button.
Adding Buttons (Turn off Word as Editor)
- Go to Tools > Options > Mail Format (Tab)
- Uncheck “Use Word to edit email messages”
- Click “OK”
- Create a new email message…
- Right-click on the toolbar and click “Customize”
- Select the “Commands” tab, and select the “Standard” category of commands.
- In the “Commands:” window, you will see two buttons near the bottom.
- One is an envelope with a red seal, the other is an envelope with a blue lock.
- Drag each of these into your toolbar (to a place you like – I put mine just before the “Options” button.
- Click “Close”.
- You should now have two buttons on your toolbar.
Sending Signed Email by Default
- Go to Tools > Options > Security (Tab)
- Check “Add digital signature to outgoing messages”
- Check “Send clear text signed message when sending signed messages”
(NOTE: If you do not send messages as cleartext signed, users without an S/MIME supporting email client will be unable to read them – they will look like an encrypted email message.)
- Click “OK”
Outlook Express
When a user sends their new cert after their old cert expires, you need to open their contact, go to “Digital ID’s” and set their new cert as default – otherwise the old cert will be used.
Drawbacks / Known Issues
Inexperienced Users
Some people are Internet novices – yet they still have an S/MIME compliant email client. Most clients make it easy to reply to signed and encrypted emails by setting the reply message to be signed or encrypted by default.
If you try to reply by way of a signed message, even though you don’t have a digital ID you’ll probably get a warning that you can’t send digitally signed messages.
In Outlook Express, the message is as follows:
Outlook Express Mail “You cannot send digitally signed messages because you do not have a digital ID for this account.” [Get Digital ID] [Cancel]
Some users will interpret this as “An Error Message” and that they “Cannot reply to your emails”. If they use Outlook Express, they can reply to your message as they normally would, but first they must go to “Tools” in the File menu and uncheck the “Digitally Sign” option for the reply email.
Outlook Express
- No Support for Certs with Multiple Email Addresses:
Normally, users would only need one certificate for each email client/computer combination – but due to a problem with the way Outlook Express interperets digital ID’s, it is best to create a new one for each email address as well for maximum compatibility. - Limited support for posting signed messages in NNTP Newsgroups
Netscape Communicator
I had trouble with different versions of Communicator fighting each other in the CIS Solaris environment. The net result was that digital ID’s worked in the email client version I configured first, but after upgrading to a newer version, it stopped working.
Web-based Email
No Support for most web based email clients – but S/MIME email IS supported in the latest version of Outlook Web Access.
Other Issues
“An error occurred in the underlying security system.”
“An error occurred while trying to export security information.”
While creating a new email, I must click on “Options…” in the toolbar and press the “Security Settings…” button.
This opens a new window called “Security Properties” with a “Security Settings” section.
Under “Security setting:” is a dropdown box.
It has the options “<Automatic>”, “<Default>”, and “My S/MIME Settings (email@address.here)”.
If I choose any of these and click the “Change Settings…” button, this opens a window called “Change Security Settings”.
Under “Certificates and Algorithms” in the “Signing Certificate:” field, there is a “Choose…” button.
Clicking it opens a “Select Certificate” window – and here is the problem.
I see two Certificates. One is a new certificate I installed today, and the other is an old certificate that I thought was deleted.
I found the solution though:
In Outlook 2003, go to Tools > Options > Security (Tab)
In the “Encrypted e-mail” tab, set the “Default Setting:” to “My S/MIME Settings (your@email.here)”
Click the “Settings…” button
A new window titled “Change Security Settings” will open
In the “Certificates and Algorithms” section, at the “Signing Certificate:” field, click the “Choose…” button
Select the appropriate certificate
At the “Encryption Certificate:” field, click the “Choose…” button
Select the appropriate certificate
Click “OK”
Click “OK”
Other Resources
Microsoft’s Page on Getting Digital ID’s
Using encryption and digital signatures in Mail (Mac OS)
Fermilab Computing Division Security