1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
|
<?xml version="1.0" encoding="utf-8"?>
<!-- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
<!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
%brandDTD;
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Signing & Encrypting Messages</title>
<link rel="stylesheet" href="helpFileLayout.css"
type="text/css"/>
</head>
<body>
<h1 id="signing_and_encrypting_messages">Signing & Encrypting Messages</h1>
<div class="contentsBox">In this section:
<ul>
<li><a href="#about_digital_signatures_and_encryption">About Digital
Signatures & Encryption</a></li>
<li><a href="#getting_other_peoples_certificates">Getting Other
People's Certificates</a></li>
<li><a href="#configuring_security_settings">Configuring Security
Settings</a></li>
<li><a href="#signing_and_encrypting_a_new_message">Signing &
Encrypting a New Message</a></li>
<li><a href="#reading_signed_and_encrypted_messages">Reading Signed &
Encrypted Messages</a></li>
<li><a href="#message_security_compose_window">Message Security -
Compose Window</a></li>
<li><a href="#message_security_received_message">Message Security -
Received Message</a></li>
</ul>
</div>
<h2 id="about_digital_signatures_and_encryption">About Digital Signatures &
Encryption </h2>
<p>When you compose a mail message, you can choose to attach your digital
signature to it. A <a href="glossary.xhtml#digital_signature">digital
signature</a> allows recipients of the message to verify that the message
really comes from you and hasn't been tampered with since you sent
it.</p>
<p>When you compose a mail message, you can also choose to encrypt it.
<a href="glossary.xhtml#encryption">Encryption</a> makes it very difficult
for anyone other than the intended recipient to read the message while it is
in transit over the Internet.</p>
<p>Signing and encryption are not available for newsgroup messages.</p>
<p>Before you can sign or encrypt a message, you must take these preliminary
steps:</p>
<ol>
<li>Obtain one or more <a href="glossary.xhtml#certificate">certificates</a>
(the digital equivalents of ID cards). For details, see
<a href="using_certs_help.xhtml#getting_your_own_certificate">Getting Your
Own Certificate</a>.</li>
<li>Configure the security settings for your email account. For details, see
<a href="mailnews_account_settings.xhtml#security">Configuring Your
Security Settings</a>.
</li>
</ol>
<p>Once you have completed these steps, you can complete the instructions in
<a href="#signing_and_encrypting_a_new_message">Signing & Encrypting a
New Message</a>.</p>
<p>The sections that follow provide a brief overview of how digital signatures
and encryption work. For more technical details on this subject, see the
online document
<a href="http://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography">Introduction
to Public-Key Cryptography</a>.</p>
<h3 id="how_digital_signatures_work">How Digital Signatures Work</h3>
<p>A digital signature is a special code, unique to each message, created by
means of <a href="glossary.xhtml#public-key_cryptography">public-key
cryptography</a>.</p>
<p>A digital signature is completely different from a handwritten signature,
although it can sometimes be used for similar legal purposes, such as signing
a contract.</p>
<p>To create a digital signature for an email message that you are sending, you
need two things:</p>
<ul>
<li>A <a href="glossary.xhtml#signing_certificate">signing certificate</a>
that identifies you for this purpose. Every time you sign a message, your
signing certificate is included with the message. The certificate includes
a <a href="glossary.xhtml#public_key">public key</a>. The presence of the
certificate in the message permits the recipient to verify your digital
signature.
<p>Your certificate is a bit like your name and phone number in the
phonebook—it is public information that helps other people
communicate with you.</p>
</li>
<li>A <a href="glossary.xhtml#private_key">private key</a>, which is created
and stored on your computer when you first obtain a certificate.
<p>Your private key for a signing certificate is protected by your
<a href="glossary.xhtml#master_password">Master Password</a>, and the
&brandShortName; program does not disclose it to anyone else. The Mail
& Newsgroup software uses your private key to create a unique,
verifiable digital signature for every message you choose to sign.</p>
</li>
</ul>
<h3 id="how_encryption_works">How Encryption Works</h3>
<p>To encrypt an email message, you must have an
<a href="glossary.xhtml#encryption_certificate">encryption certificate</a>
for each of the message's recipients. The public key in each certificate
is used to encrypt the message for that recipient.</p>
<p>If you don't have a certificate for even a single recipient, the
message cannot be encrypted.</p>
<p>The recipient's software uses the recipient's private key, which
remains on that person's computer, to decrypt the message.</p>
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
section</a>]</p>
<h2 id="getting_other_peoples_certificates">Getting Other People's
Certificates</h2>
<p>Every time you send a digitally signed message, your encryption certificate
is automatically included with the message. Therefore, one of the easiest
ways to obtain someone else's certificate is for that person to send you
a digitally signed message.</p>
<p>When you receive such a message, the person's certificate is
automatically stored by the <a href="certs_help.xhtml">Certificate
Manager</a>, which is the part of the browser that keeps track of
certificates. This is useful because you need to have a certificate for each
recipient of any email message that you want to send in encrypted form.</p>
<p>Another way to obtain certificates is to look them up in a public directory,
such as the <q>phonebook</q> directories maintained by many companies.</p>
<p>It's also possible to look up certificates automatically. This feature
is controlled by
<a href="mailnews_preferences.xhtml#addressing_preferences">Mail &
Newsgroups Preferences - Addressing</a> or
<a href="mailnews_account_settings.xhtml#addressing">Mail & Newsgroups
Account Settings - Addressing</a>, which can be configured to look up
recipients' email addresses in a directory.</p>
<p>When you are using any account that is configured to look up addresses in a
directory, the same directory will be searched for matching certificates when
you attempt to send an encrypted message to one or more recipients for whom
you don't have certificates on file.</p>
<p>The directory will also be searched for missing certificates when you open
the drop-down menu below the Security icon in the Compose window and choose
View Security Info.</p>
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
section</a>]</p>
<h2 id="configuring_security_settings">Configuring Security Settings</h2>
<p>Once you have obtained an email certificate (or certificates), you must
specify the certificates you want to use for signing and encrypting
messages.</p>
<p>For information about obtaining email certificates, see
<a href="using_certs_help.xhtml#getting_your_own_certificate">Getting Your
Own Certificate</a>.</p>
<p>To specify which signing and encryption certificates to use with a
particular account, begin from the Mail window:</p>
<ol>
<li>Open the Edit menu and choose Mail & Newsgroups Account Settings.</li>
<li>Click Security under the name of the mail account whose security settings
you want to configure.</li>
<li>Under Digital Signing, click Select. (You may be asked to provide your
<a href="glossary.xhtml#master_password">Master Password</a> before you can
proceed further.)
<p>A dialog box appears that allows you to select from among your available
signing certificates.</p>
</li>
<li>Choose the signing certificate you want to use, then click OK.</li>
<li>Follow the same steps under Encryption: click the Select button, select
the encryption certificate you want to use, and click OK.</li>
<p>In some cases you may be able to specify the same certificate under
Encryption that you specified under Digital Signing; check with your system
administrator to find out for sure.</p>
</ol>
<p>Optionally, you can also indicate that you normally want to sign or encrypt
all messages sent from a particular account. These account-specific settings
are for convenience only; you can override the default settings for
individual messages.</p>
<p>To configure your default signing and encryption settings, start from the
Security panel for the account (described above) and select your settings as
follows:</p>
<ul>
<li>Under Digital Signing:
<ul>
<li><strong>Digitally sign messages</strong>: When this checkbox is
selected, all the messages you send from this account will be digitally
signed unless you indicate otherwise before you send the message. To
turn off this default setting, deselect the checkbox.</li>
</ul>
</li>
<li>Under Encryption (choose one):
<ul>
<li><strong>Never</strong>: When this option is selected, messages you
send from this account will be not be encrypted unless you indicate
otherwise before you send them.</li>
<li><strong>Required</strong>: When this option is selected, all the
messages you send from this account will be encrypted—but only if
you have valid certificates for each of the message's recipients.
If you don't have all the necessary certificates, the message
can't be sent unless you turn off encryption for that message.</li>
</ul>
</li>
</ul>
<p>When you have finished configuring your mail security settings, click OK to
confirm them.</p>
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
section</a>]</p>
<h2 id="signing_and_encrypting_a_new_message">Signing & Encrypting a New
Message</h2>
<p>Before you can digitally sign or encrypt any message, you must obtain at
least one email certificate and configure your mail security settings
correctly. For background information on these tasks, see
<a href="#about_digital_signatures_and_encryption">About Digital Signatures
& Encryption</a>.</p>
<p>The settings specified in
<a href="mailnews_account_settings.xhtml#security">Mail & Newsgroups
Account Settings - Security</a> determine the default settings for each new
Compose window you open when you set out to write an email.</p>
<p>To open a Compose window, start from the Mail window and click Compose. You
can immediately identify the default security settings from the presence or
absence of these icons near the lower-right corner of the window:</p>
<table>
<tr>
<td><img src="chrome://messenger/skin/smime/icons/hdrSignOk.gif"
alt="digital signature icon"/></td><td>The message will be digitally
signed (assuming you have a valid email certificate that
identifies you).</td>
</tr>
<tr>
<td><img src="chrome://messenger/skin/smime/icons/hdrCryptoOk.gif"
alt="encryption icon"/></td><td>The message will be encrypted
(assuming you have valid certificates for all recipients).</td>
</tr>
</table>
<p>To turn these settings off or on, click the arrow just below the Security
icon in the Mail toolbar near the top of the window. Then select the item you
want from the drop-down list:</p>
<ul>
<li><strong>Do Not Encrypt This Message</strong>: Choose this to turn off
encryption for this message. The message will not be encrypted when it is
sent over the Internet.</li>
<li><strong>Encrypt This Message</strong>: Choose this to turn on encryption
for this message. The message will be sent in encrypted form. However, it
can't be sent unless you have valid certificates for all
recipients.</li>
<li><strong>Digitally Sign This Message</strong>: Choose this to turn digital
signing on or off for this message. A checkmark indicates the message will
be signed.</li>
<li><strong>View Security Info</strong>: Choose this to view detailed
information about the security status of this message—to help you
determine, for example, whether you need to obtain a certificate for one of
the recipients.</li>
</ul>
<p>To view detailed information about the message's security status, you
can also click the key or lock icon as described in
<a href="#message_security_compose_window">Message Security - Compose
Window</a>.</p>
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
section</a>]</p>
<h2 id="reading_signed_and_encrypted_messages">Reading Signed & Encrypted
Messages</h2>
<p>When you view a signed or encrypted message in the Mail window, these icons
near the upper-right corner of the message header indicate the security
status of the message:</p>
<table>
<tr>
<td><img src="chrome://messenger/skin/smime/icons/hdrSignOk.gif"
alt="digital signature icon"/></td><td>The message is digitally
signed and has been validated. If there is a problem with the signature,
the pen is broken.</td>
</tr>
<tr>
<td><img src="chrome://messenger/skin/smime/icons/hdrSignUnknown.gif"
alt="unknown icon"/></td><td>The message is signed, but it has a
large attachment that has not yet been downloaded from the IMAP server.
As a result, the signature cannot be validated. Click the icon to
download the attachment and validate the signature.</td>
</tr>
<tr>
<td><img src="chrome://messenger/skin/smime/icons/hdrCryptoOk.gif"
alt="encryption icon"/></td><td>The message is encrypted. If there
is a problem with the encryption, the key is broken.</td>
</tr>
</table>
<p>For information about certificate validation, see
<a href="using_certs_help.xhtml#controlling_validation">Controlling
Validation</a>.</p>
<p>To see more detailed information about the message's security, click
the key or lock icon, or follow the instructions in
<a href="#message_security_received_message">Message Security - Received
Message</a>.</p>
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
section</a>]</p>
<h2 id="message_security_compose_window">Message Security - Compose Window</h2>
<p>This section describes the Message Security window that you can open for any
message you are composing. If you're not already viewing Message
Security, click the Security icon in the toolbar of the Compose window.</p>
<p>The Message Security window describes how your message will be sent:</p>
<ul>
<li><strong>Digitally Signed</strong>: This line describes whether your
message will be signed. There are three possibilities:
<ul>
<li><strong>Yes</strong>: Digital signing has been enabled for this
message, you have a valid certificate identifying you, and the message
can be signed.</li>
<li><strong>No</strong>: Digital signing has been disabled for this
message.</li>
<li><strong>Not possible</strong>: Digital signing has been enabled for
this message. However, a valid
<a href="glossary.xhtml#certificate">certificate</a> identifying you
for this purpose is not available, or there is some other problem that
makes signing impossible.</li>
</ul>
</li>
<li><strong>Encrypted</strong>: This line describes whether your message will
be encrypted. There are three possibilities:
<ul>
<li><strong>Yes</strong>: Encryption has been enabled for this message,
valid certificates for all listed recipients are available, and the
message can be encrypted.</li>
<li><strong>No</strong>: Encryption has been disabled or is not possible
for this message.</li>
<li><strong>Not possible</strong>: Encryption has been enabled for this
message. However, a valid certificate for at least one of the listed
recipients is not available, or no recipients are listed, or there is
some other problem that makes encryption impossible.</li>
</ul>
</li>
</ul>
<p>When you compose a message and select a different account, the signing
and encryption preferences are updated to reflect the settings of
the newly selected account.</p>
<p>The Message Security window also lists the certificates available for the
recipients of your message:</p>
<ul>
<li><strong>View</strong>: To view the details for any certificate in the
list, select its name, then click View.</li>
</ul>
<p>For more information about obtaining certificates and configuring message
security settings, see <a href="#signing_and_encrypting_messages">Signing
& Encrypting Messages</a>.</p>
<p>To indicate your signing or encryption choices for an individual message,
click the arrow beside the Security button in the Compose window, then select
the options you want.</p>
<p>To indicate your default signing and encryption preferences for all
messages, see <a href="mailnews_account_settings.xhtml#security">Mail &
Newsgroups Account Settings - Security</a></p>
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
section</a>]</p>
<h2 id="message_security_received_message">Message Security - Received
Message</h2>
<p>This section describes the Message Security window that you can open for any
message you have received. If you're not already viewing Message
Security for a received message, follow these steps:</p>
<ol>
<li>In the Mail window, select the message for which you want to view
security information.</li>
<li>Open the View menu and choose Message Security Info.</li>
</ol>
<p>The Message Security window displays the following information:</p>
<ul>
<li><strong>Digital Signature</strong>: The top section describes whether the
message is digitally signed and if so, whether the signature is valid.</li>
<p>If validation failed while OCSP was enabled, check the OCSP settings in
<a href="certs_prefs_help.xhtml#privacy_and_security_preferences_certificates">Privacy
& Security Preferences - Certificates</a>. If you are not familiar with
OCSP, confirm the settings with your system administrator. If your settings
are correct, there may be a problem with the OCSP service or the
certificate used to create the signature is no longer valid.</p>
<p>If the signature is invalid because of a problem with a certificate's
trust settings, you can use the <a href="certs_help.xhtml">Certificate
Manager</a> to view or edit those settings.</p>
<li><strong>View Signature Certificate</strong>: If the message is signed,
click this button to view the certificate that was used to sign it.</li>
<li><strong>Encryption</strong>: The bottom section reports whether the
message is encrypted and any decrypting problems.
<ul>
<li>If the message's contents have been altered during transit, you
should ask the sender to resend it. The changes may have been caused by
network problems.</li>
<li>If a copy of your own certificate (used by the sender to encrypt the
message) is not available on your computer, the private key required to
decrypt the message cannot be retrieved. The only solution is to import
a backup copy of your certificate and its private key (see
<a href="certs_help.xhtml#your_certificates">Your Certificates</a> for
details.) If you don't have access to a backup certificate, you
will not be able to decrypt the message.</li>
</ul>
</li>
</ul>
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
section</a>]</p>
</body>
</html>
|
