If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
How do I import a certificate?
The help file is very confusing. I want to be able to encrypt some of my emails. This is the helpfile for importing a certificate. It's clear as mud. :-( Andy Managing S/MIME certificates Certificates allow you to communicate with others securely over an encrypted connection, or sign a message confirming your identity to the contact. These settings only apply to S/MIME encryption. You can import, view, edit (except for your own certificates), and delete your certificates under Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate issuer has been marked as not trusted by the user. (-8172) - Cannot add SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to Authorities and enable Trust this CA to identify email users for the certificate. Your Certificates displays a list of certificates that you own. To add a signing certificate, click Import, select the file to import, then click Open and enter a password. Contact Certificates displays a list of certificates that you have for contacts. These certificates allow you to decrypt messages as well verify signed messages. Authorities displays a list of trusted certificate authorities that verify that your own certificate is valid. |
Ads |
#2
|
|||
|
|||
How do I import a certificate?
Andy wrote:
The help file is very confusing. I want to be able to encrypt some of my emails. This is the helpfile for importing a certificate. It's clear as mud. :-( Andy Managing S/MIME certificates Certificates allow you to communicate with others securely over an encrypted connection, or sign a message confirming your identity to the contact. These settings only apply to S/MIME encryption. You can import, view, edit (except for your own certificates), and delete your certificates under Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate issuer has been marked as not trusted by the user. (-8172) - Cannot add SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to Authorities and enable Trust this CA to identify email users for the certificate. Your Certificates displays a list of certificates that you own. To add a signing certificate, click Import, select the file to import, then click Open and enter a password. Contact Certificates displays a list of certificates that you have for contacts. These certificates allow you to decrypt messages as well verify signed messages. Authorities displays a list of trusted certificate authorities that verify that your own certificate is valid. You should test this with two computers you own, and send email to yourself on a second computer, to verify the certificate and key pair, are working properly. Before you spring this idea on a third-party. ******* The text you quote, comes from the second link here, but I can't really tell what email client it refers to: https://help.gnome.org/users/evoluti...yption.html.en https://help.gnome.org/users/evoluti...manage.html.en The practical details are listed here. It appears to be an end-to-end encryption scheme of some sort. Maybe GPG is another way to do it ? https://en.wikipedia.org/wiki/S/MIME...E_certificates "Due to the requirement of a certificate for implementation, not all users can take advantage of S/MIME some may wish to encrypt a message, with a public/private key pair for example, without the involvement or administrative overhead of certificates. Any message that an S/MIME email client stores encrypted cannot be decrypted if the applicable key pair's private key is unavailable or otherwise unusable (e.g., the certificate has been deleted or lost or the private key's password has been forgotten). However, an expired, revoked, or untrusted certificate will remain usable for cryptographic purposes. Indexing of encrypted messages' clear text may not be possible with all email clients. Neither of these potential dilemmas is specific to S/MIME but rather cipher text in general and do not apply to S/MIME messages that are only signed and not encrypted." An example of a certificate can be seen here. https://www.comodo.com/home/email-se...ertificate.php They make it sound here, like a recipient needs your certificate for this to work. In an organization, perhaps a company wide certificate allows employees to be protected this way. https://support.office.com/en-us/art...ID=HA104209995 There are some pictures here, but this still isn't enough detail for me. Perhaps I need to read the PKI page as well. https://technet.microsoft.com/en-us/...chg.65%29.aspx "Understanding Public Key Cryptography" https://technet.microsoft.com/en-us/...chg.65%29.aspx I had to check the date on the articles, because this one references 3DES as the strongest encryption it's got. But the article is from 2005. Something stronger is probably available today. https://technet.microsoft.com/en-us/...chg.65%29.aspx The author of this article, thinks it's pretty silly having Comodo transmit a private key over the airwaves, as part of making a new certificate. The recipe here, claims to hide the details a bit better. It really depends on who you're protecting the email stream from, as to what technique is best (from an effort versus benefit point of view). https://henrytodd.org/notes/2013/gen...ys-with-smime/ It kinda looks to me, like both parties need certificates. You have your own private key used to encrypt outgoing messages. But when sending the message, to keep it private to a particular recipient, the public key of the recipient is also part of the crypto. So when you refer to installing certificates, perhaps installing a recipient certificate is also necessary, as well as your own (more secret) crypto details ? I think the recipient certificate is the "Contacts Certificate" in Gnome, and it might include email address and public key. The public key is likely hashed into the message, so only the recipient can decrypt with their private key. https://support.deskpro.com/en/kb/ar...-encoded-email Email encryption To encrypt emails you need to add the public certificate of your recipient in your system. The content will then be unreadable to anyone who doesn't have the private key needed to decrypt it. Yes, it's confusing. If I wanted to test this, I would use: 1) Two brand new fresh email accounts. 2) Two computers. 3) A Comodo certificate for each computer. 4) Transmit an S/MIME message to the second computer, copied to your "regular" email address. If the email comes to you as well, it should be unreadable. Whereas the second computer, will verify signing and present clear text. 5) While doing so, you'll want to run Wireshark and see how many packets are sent to Comodo. This will teach you the installation of the encryption certificate on the one computer, and also carting the recipient certificate from the second computer, to the first, to add the recipient certificate to your local certificate store on the first computer. Something along those lines. Now, maybe it's possible to receive a crypto email, be looking at "jumbled hex". But the thing is, installing the senders certificate isn't going to help, because the message probably wasn't prepared when the recipient certificate was in his certificate store. The message in effect "isn't addressed to you" if he didn't have the key at that point in time. I suspect both ends have to be using certificates, before a clear channel can be achieved. And the email client may refuse to send an S/MIME, unless at least one recipient certificate is in the store and that recipient is in the To: list. Good luck, Mr. Snowden :-) Paul |
#3
|
|||
|
|||
How do I import a certificate?
On Sunday, January 14, 2018 at 11:52:51 PM UTC-6, Paul wrote:
Andy wrote: The help file is very confusing. I want to be able to encrypt some of my emails. This is the helpfile for importing a certificate. It's clear as mud. :-( Andy Managing S/MIME certificates Certificates allow you to communicate with others securely over an encrypted connection, or sign a message confirming your identity to the contact. These settings only apply to S/MIME encryption. You can import, view, edit (except for your own certificates), and delete your certificates under Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate issuer has been marked as not trusted by the user. (-8172) - Cannot add SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to Authorities and enable Trust this CA to identify email users for the certificate. Your Certificates displays a list of certificates that you own. To add a signing certificate, click Import, select the file to import, then click Open and enter a password. Contact Certificates displays a list of certificates that you have for contacts. These certificates allow you to decrypt messages as well verify signed messages. Authorities displays a list of trusted certificate authorities that verify that your own certificate is valid. You should test this with two computers you own, and send email to yourself on a second computer, to verify the certificate and key pair, are working properly. Before you spring this idea on a third-party. ******* The text you quote, comes from the second link here, but I can't really tell what email client it refers to: https://help.gnome.org/users/evoluti...yption.html.en https://help.gnome.org/users/evoluti...manage.html.en The practical details are listed here. It appears to be an end-to-end encryption scheme of some sort. Maybe GPG is another way to do it ? https://en.wikipedia.org/wiki/S/MIME...E_certificates "Due to the requirement of a certificate for implementation, not all users can take advantage of S/MIME some may wish to encrypt a message, with a public/private key pair for example, without the involvement or administrative overhead of certificates. Any message that an S/MIME email client stores encrypted cannot be decrypted if the applicable key pair's private key is unavailable or otherwise unusable (e.g., the certificate has been deleted or lost or the private key's password has been forgotten). However, an expired, revoked, or untrusted certificate will remain usable for cryptographic purposes. Indexing of encrypted messages' clear text may not be possible with all email clients. Neither of these potential dilemmas is specific to S/MIME but rather cipher text in general and do not apply to S/MIME messages that are only signed and not encrypted." An example of a certificate can be seen here. https://www.comodo.com/home/email-se...ertificate.php They make it sound here, like a recipient needs your certificate for this to work. In an organization, perhaps a company wide certificate allows employees to be protected this way. https://support.office.com/en-us/art...ID=HA104209995 There are some pictures here, but this still isn't enough detail for me. Perhaps I need to read the PKI page as well. https://technet.microsoft.com/en-us/...chg.65%29.aspx "Understanding Public Key Cryptography" https://technet.microsoft.com/en-us/...chg.65%29.aspx I had to check the date on the articles, because this one references 3DES as the strongest encryption it's got. But the article is from 2005. Something stronger is probably available today. https://technet.microsoft.com/en-us/...chg.65%29.aspx The author of this article, thinks it's pretty silly having Comodo transmit a private key over the airwaves, as part of making a new certificate. The recipe here, claims to hide the details a bit better. It really depends on who you're protecting the email stream from, as to what technique is best (from an effort versus benefit point of view). https://henrytodd.org/notes/2013/gen...ys-with-smime/ It kinda looks to me, like both parties need certificates. You have your own private key used to encrypt outgoing messages. But when sending the message, to keep it private to a particular recipient, the public key of the recipient is also part of the crypto. So when you refer to installing certificates, perhaps installing a recipient certificate is also necessary, as well as your own (more secret) crypto details ? I think the recipient certificate is the "Contacts Certificate" in Gnome, and it might include email address and public key. The public key is likely hashed into the message, so only the recipient can decrypt with their private key. https://support.deskpro.com/en/kb/ar...-encoded-email Email encryption To encrypt emails you need to add the public certificate of your recipient in your system. The content will then be unreadable to anyone who doesn't have the private key needed to decrypt it. Yes, it's confusing. If I wanted to test this, I would use: 1) Two brand new fresh email accounts. 2) Two computers. 3) A Comodo certificate for each computer. 4) Transmit an S/MIME message to the second computer, copied to your "regular" email address. If the email comes to you as well, it should be unreadable. Whereas the second computer, will verify signing and present clear text. 5) While doing so, you'll want to run Wireshark and see how many packets are sent to Comodo. This will teach you the installation of the encryption certificate on the one computer, and also carting the recipient certificate from the second computer, to the first, to add the recipient certificate to your local certificate store on the first computer. Something along those lines. Now, maybe it's possible to receive a crypto email, be looking at "jumbled hex". But the thing is, installing the senders certificate isn't going to help, because the message probably wasn't prepared when the recipient certificate was in his certificate store. The message in effect "isn't addressed to you" if he didn't have the key at that point in time. I suspect both ends have to be using certificates, before a clear channel can be achieved. And the email client may refuse to send an S/MIME, unless at least one recipient certificate is in the store and that recipient is in the To: list. Good luck, Mr. Snowden :-) Paul Thanks. I found an easier way. Getting a signing certificate is complex and you have to pay to get one. I will encrypt my emails individually and send them to my spy friends. :-) Linux uses gpg. Is that included in WinXP and later versions? If not, is there a Windows version that others can install? Thanks, Andy |
#4
|
|||
|
|||
How do I import a certificate?
Andy wrote:
On Sunday, January 14, 2018 at 11:52:51 PM UTC-6, Paul wrote: Andy wrote: The help file is very confusing. I want to be able to encrypt some of my emails. This is the helpfile for importing a certificate. It's clear as mud. :-( Andy Managing S/MIME certificates Certificates allow you to communicate with others securely over an encrypted connection, or sign a message confirming your identity to the contact. These settings only apply to S/MIME encryption. You can import, view, edit (except for your own certificates), and delete your certificates under Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate issuer has been marked as not trusted by the user. (-8172) - Cannot add SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to Authorities and enable Trust this CA to identify email users for the certificate. Your Certificates displays a list of certificates that you own. To add a signing certificate, click Import, select the file to import, then click Open and enter a password. Contact Certificates displays a list of certificates that you have for contacts. These certificates allow you to decrypt messages as well verify signed messages. Authorities displays a list of trusted certificate authorities that verify that your own certificate is valid. You should test this with two computers you own, and send email to yourself on a second computer, to verify the certificate and key pair, are working properly. Before you spring this idea on a third-party. ******* The text you quote, comes from the second link here, but I can't really tell what email client it refers to: https://help.gnome.org/users/evoluti...yption.html.en https://help.gnome.org/users/evoluti...manage.html.en The practical details are listed here. It appears to be an end-to-end encryption scheme of some sort. Maybe GPG is another way to do it ? https://en.wikipedia.org/wiki/S/MIME...E_certificates "Due to the requirement of a certificate for implementation, not all users can take advantage of S/MIME some may wish to encrypt a message, with a public/private key pair for example, without the involvement or administrative overhead of certificates. Any message that an S/MIME email client stores encrypted cannot be decrypted if the applicable key pair's private key is unavailable or otherwise unusable (e.g., the certificate has been deleted or lost or the private key's password has been forgotten). However, an expired, revoked, or untrusted certificate will remain usable for cryptographic purposes. Indexing of encrypted messages' clear text may not be possible with all email clients. Neither of these potential dilemmas is specific to S/MIME but rather cipher text in general and do not apply to S/MIME messages that are only signed and not encrypted." An example of a certificate can be seen here. https://www.comodo.com/home/email-se...ertificate.php They make it sound here, like a recipient needs your certificate for this to work. In an organization, perhaps a company wide certificate allows employees to be protected this way. https://support.office.com/en-us/art...ID=HA104209995 There are some pictures here, but this still isn't enough detail for me. Perhaps I need to read the PKI page as well. https://technet.microsoft.com/en-us/...chg.65%29.aspx "Understanding Public Key Cryptography" https://technet.microsoft.com/en-us/...chg.65%29.aspx I had to check the date on the articles, because this one references 3DES as the strongest encryption it's got. But the article is from 2005. Something stronger is probably available today. https://technet.microsoft.com/en-us/...chg.65%29.aspx The author of this article, thinks it's pretty silly having Comodo transmit a private key over the airwaves, as part of making a new certificate. The recipe here, claims to hide the details a bit better. It really depends on who you're protecting the email stream from, as to what technique is best (from an effort versus benefit point of view). https://henrytodd.org/notes/2013/gen...ys-with-smime/ It kinda looks to me, like both parties need certificates. You have your own private key used to encrypt outgoing messages. But when sending the message, to keep it private to a particular recipient, the public key of the recipient is also part of the crypto. So when you refer to installing certificates, perhaps installing a recipient certificate is also necessary, as well as your own (more secret) crypto details ? I think the recipient certificate is the "Contacts Certificate" in Gnome, and it might include email address and public key. The public key is likely hashed into the message, so only the recipient can decrypt with their private key. https://support.deskpro.com/en/kb/ar...-encoded-email Email encryption To encrypt emails you need to add the public certificate of your recipient in your system. The content will then be unreadable to anyone who doesn't have the private key needed to decrypt it. Yes, it's confusing. If I wanted to test this, I would use: 1) Two brand new fresh email accounts. 2) Two computers. 3) A Comodo certificate for each computer. 4) Transmit an S/MIME message to the second computer, copied to your "regular" email address. If the email comes to you as well, it should be unreadable. Whereas the second computer, will verify signing and present clear text. 5) While doing so, you'll want to run Wireshark and see how many packets are sent to Comodo. This will teach you the installation of the encryption certificate on the one computer, and also carting the recipient certificate from the second computer, to the first, to add the recipient certificate to your local certificate store on the first computer. Something along those lines. Now, maybe it's possible to receive a crypto email, be looking at "jumbled hex". But the thing is, installing the senders certificate isn't going to help, because the message probably wasn't prepared when the recipient certificate was in his certificate store. The message in effect "isn't addressed to you" if he didn't have the key at that point in time. I suspect both ends have to be using certificates, before a clear channel can be achieved. And the email client may refuse to send an S/MIME, unless at least one recipient certificate is in the store and that recipient is in the To: list. Good luck, Mr. Snowden :-) Paul Thanks. I found an easier way. Getting a signing certificate is complex and you have to pay to get one. I will encrypt my emails individually and send them to my spy friends. :-) Linux uses gpg. Is that included in WinXP and later versions? If not, is there a Windows version that others can install? Thanks, Andy GPG is named after GNU, so it's freeware. The program is "too quiet". It doesn't tell you what it's doing. This is a pain in the ass. One hint - it compresses the thing it is working on, before encrypting it. If the output file seems "tiny", that is why. I also had trouble finding the encryption controls. They're buried in there somewhere. I think it uses RSA2048 by default, but I wanted to adjust that and try other things, like maybe AES129 or AES256. The "engine" it uses, should have a variety of algorithms available. Sticking with the defaults, of course, increases the odds your comms with work with your "spy friend". The purpose of the program, is to offer crypto to people who don't know what they're doing. And they didn't want to "scare" people by providing status info. ******* I fooled around with this a bit. https://www.gpg4win.org/download.html You could also read up on this. I've never used this or tried it, but at least one other person on the newsgroups uses this. The topic came up once. https://en.wikipedia.org/wiki/Enigmail When public keys are served from a central server or from a keyring of some sort, they're indexed by a personal identifier. For example, . You end up trading a bit of your privacy, to have your public key hosted in a publicly available spot. Just a word of warning on your travels through crypto-land, if you're wondering "why do they need to know my email address or my name". In some cases, it's to index a central storage facility. This is also why your first experiment should be with a throwaway setup, until you iron out the details. You don't want your "official" key, indexed by your name, to be screwed up in any way, so fooling with an "Alfred E Neumann" public key is better for your first attempt. Any public facility used to store some metadata, you can bet it's going to be very hard to contact an administrator and say "You know that Andy thing I just put up there, could you remove it for me ? I messed it up". Good luck, Paul |
Thread Tools | |
Display Modes | |
|
|