SLAC Computer Security
Search SLAC
SLAC Home | Computing Home | Computing Outages | Help
Computer Security | Windows Security | Passwords | User Education | Policies


Certificate Signed E-mail at SLAC - Pilot Project

General Background and Information
Sometimes we have a need to send e-mail that the recipient can feel assured was not forged (e.g. when SLAC Computer Security sends instructions to SLAC users to patch their computers). If we don't sign the e-mail in some trusted way how do you know the e-mail is not forged? One way to add "trust" to an e-mail is with x.509 Certificates. There are other options but they are more cumbersome to set up or costly, or both.
To get an x.509 certificate we have to find a widely trusted "Certification Authority" (commonly referred to as CA) who will offer them. For this project we are using Thawte Personal Freemail CA. We then take fairly simple measures to prove our identity to them and they issue us a certificate for our e-mail address. This certificate has a "public" and "private" key pair. The private key must be kept safe and password protected by the owner. This is critical.
To use the certificate in e-mail the sender composes and sends their e-mail with the certificate attached. The certificate attached to the e-mail contains the "public" key as well as important information like your e-mail address and who issued the certificate to you. The recipient's e-mail software will look at the certificate and automatically go check with the CA who issued it. If the certificate is validated by the CA then the recipient's software will show that the certificate is valid. The recipient can then be sure the certificate hasn't been forged or altered so they can trust the sender is who he says he is. We are not talking about encrypting e-mails, we are only providing proof that our e-mails come from us.
Scientific Computing and Computing Services (SCCS) is in the process of testing the use of x.509 certificates in e-mail at SLAC. As we progress through the client testing, etc. we will be filling out the Testing Matrix below. If this is the option chosen for SLAC then we will document how each client is to be configured and publicize its availability to SLAC users.
Requesting Your Own Thawte Freemail Certificate
First, check to see the exact format (case sensitive) of your e-mail address (send yourself an e-mail if you are not sure). Some e-mail clients are very picky about the format of your From: e-mail address matching the e-mail address used in your Certificate.
Second, go to the Thawte Personal Freemail CA web site (do not use Safari browser though!) and press the Join button to begin the process. You will enter your Nationality and your Birthdate; you will create a Thawte website password; plus 5 questions and answers. They'll send you a Probe/Ping e-mail which you need to respond to before the Certificate will be issued. Once you have received the email from them which says your Certificate is ready then you will click on the link in that message and Fetch the certificate into your Internet browser software. Whenever prompted for level of security for saving or protecting the certificate please respond High (see the Protecting Your Certificate section below).
Third, configure your e-mail client to use the certificates in your e-mail. If you used Internet Explorer to request the certificate and you use Outlook 2003 then you don't need to configure anything. If you used a browser other than Internet Explorer and you want to use the certificates in Outlook 2003 then you will need to export the certificate out of the original browser and import it into Internet Explorer.
Get Your Name On Your Certificate
We highly recommend getting your name on your certificate as it adds a level of trust to it. It shows you have visited at least 2 persons to have your identity verified.
When you first register with Thawte you are listed as "Untrusted" because all you did was fill out a form and respond to an email. You should now start the process to earn trust by visiting Thawte Web of Trust Notaries. Once you have 50 points you will be considered "trusted" and will be able to request a certificate that has your name on it. The certificate you just got only says "Thawte Freemail Member".
Before you contact a WOT notary you need to login to the Thawte Personal Freemail CA web site. Look on the left-hand side, under "My Account" click on "edit ID info". Fill in National Identification field with the number from the piece of ID you wish to use (Drivers License or Passport). In the National Identity Type field you will describe what it is (e.g. CA Drivers License or Passport). These bits of info will be used by the WOT Notaries when it comes time to verify the ID you will show them when you meet them in person. They will not see this information unless you authorize them to view it.
More on the Web of Trust can be found on the Thawte web site.
SLAC has several Web of Trust Notaries. Three of them are: Teresa Downey, Ricardo Kau, and Chuck Boeheim. They can meet with SLAC personnel to assert their identity. This makes it very easy for SLAC personnel to get their name on their certificate. WOT Notary database.
Protecting Your Certificate
As we've already said you will password protect the private key. You should also set the security for its use as High. This will ensure that requests to use it will be password protected. Example: If you don't set the security to high and you leave your e-mail client open then anyone can come along and send a message as signed or encrypted using your certificate even though they are not you! First, you need to lock your computer when you leave it. Second, you need to be sure your certificate requires a password to be accessed. Whenever you are prompted for Security level during the set up of Certificates please respond HIGH.
Replacing Your Certificate Annually
These free certs cannot be "renewed" and so must be replaced each year. This means that e-mails you have sent with your old cert will start getting errors when people open them. The error will say that the certificate is expired but will still give the person the opportunity to open the e-mail anyway.
Steps to get a new certificate when yours expires:
  • Outlook Users should use Internet Explorer browsers
    • https://www.thawte.com/cgi/personal/contents.exe
  • Login with your Thawte ID (an email address) and password.
  • Click on "certificates" in the left frame.
  • Click on "view certificate status" in the left frame.
  • In the list of Expired certs in the middle click on the link in the first column until you find the one you want to renew.
  • There is a different one for each email address. (Some of us have a few...)
  • When looking at the certificate you want to renew click the "Request Another" link in the upper right.
  • Click on "request" button in the x.509 section.
  • In the window that pops up it should have already selected the type of browser you are currently using.
  • Press the "request" button.
  • Verify your Name is correct.
  • Employment is not generally used. Press Next.
  • Keep the default provider and press Next.
  • Window will pop up to create a new RSA exchange key.
  • I always change security level to High. You should always have to type your pw when signing an e-mail with your cert to ensure no one is going to send an e-mail with your cert (should they get unauthorized access to your e-mail client).
  • Enter the pw twice which protects the cert on your hard-drive.
  • Press "finish" on last window.
  • Select the correct email address for this certificate and press Next.
  • Press Next again. Accept the default Extensions.
  • In a little while an email will arrive (hopefully it is not caught as spam... mine came through).
  • Use the link in the message (and the same browser you used to request it) to finish the cert renewal process.
  • Click the "Install Your Cert" link and acknowledge the scripting warnings you'll get.
Testing Matrix
Operating System Client Software "Receive" Testing "Send" Testing
Windows XP SP2 Outlook 2003 SP2 OK - no configuration needed Instructions
Windows XP SP2 Thunderbird IMAP Instructions Instructions
Linux Thunderbird IMAP OK - Configuration and certificate import is similar to windows. I've been told it works but do not have specific instructions
Mac OS X Thunderbird IMAP Please report results of your testing to Teresa Please report results of your testing to Teresa
Mac OS X Mail.app OK - no configuration needed (will get "unable to verify signature" error if the e-mail address on the certificate doesn't exactly match the e-mail on the From: line. The email address in the certificate is case sensitive.) Please report results of your testing to Teresa
Any Outlook Web Access via Web Browser Unable to validate certs - still debugging. Not working - still debugging.
Solaris/Linux Pine Need SMIME built into our version of Pine - no ETA Need SMIME built into our version of Pine - no ETA
Client Configuration Links
http://www.msexchange.org/tutorials/Configuring-SMIME-Security-Outlook-Web-Access-2003.html
http://www.ripe.net/db/support/security/mail_client_tests.html
http://www.dartmouth.edu/~pkilab/pages/Using_SMIME_e-mail.html
http://wiki.cacert.org/wiki/EmailCertificates
Mac: http://www.macdevcenter.com/pub/a/mac/2003/01/20/mail.html?page=last&x-maxdepth=0
Pine: http://www.dcs.gla.ac.uk/~jp/pine/README;
http://homes.esat.kuleuven.be/~decockd/site/myHowTos/applications/pine_smime/;
http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/ConfiguringPineWithSmime?skin=print.pattern
OWA: http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSecGuide/f3868471-1aed-41d6-8427-c92cbd5ba84e.mspx
Owner: SLAC Computer Security
Last Updated: 02/19/2008
Feedback: Please send to Computer Security Feedback