FOOD FOR THOUGHT: The security experts are now recommending all email and texts should be end to end encrypted. We may all be looking for new email and messaging clients.
1: browse here and sign up. you don't have to provide your real name but you might want to.
https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate2; you will receive an email in a few minutes. click the Collect url
3. download the certificate.
4. Collect.p7s will download and SHOULD automatically go into your user's keychain under Certificates. You can store the p7s file in something secure or you can throw it away. you have it in your keychain, and you don't want ANYONE to have access to that file or they could impersonate you in email. I store my certificates in an encrypted disk image, along with my password list and license keys.
5. quit and relaunch your email client (mac mail)
6. compose a new email message. if you have more than one email account configured, select the email account that you entered for the certificate
7. you will now see two new buttons near the upper right of the email. an unlocked (and grey) padlock and a blue selected check.
the blue check indicates the email will be signed. you can click it to unselect it and not sign the email. users receiving your email that are not signature-aware will show the signature as an attachment and it may confuse them. (can you say "Windows Users"?) Signing is the default action for emails that you have a certificate for.
Users with signature-aware email clients will show the email received as signed, and will automatically import your public key into their keychain. they can then reply to that email (or make a new one to that address) and they will see the padlock also, but this time it will be enabled. if they select it, the email will be encrypted and only you will be able to read it. they DO NOT have to apply for an email certificate to send you encrypted email, but if you then try to reply to them, you won't have the padlock available because you don't have a public key from them.
If the user already has done this and has a key, when they reply (whether or not it's encrypted) you will receive their public key and can then reply back to them with the padlock locked.
Mac OS Mail makes this process SOOOOOO easy. Even compared to add-on packages like PGP, this is just effortless and built-in.
your certificate will only last one year, you have to re-apply for it again after that. I think I'm on certificate number 12 or so. My first few were from Thawte, and when they stopped offering free personal certs for email I switched to commodo. I don't know if it's possible or easy to find that sign-up link from their main page, they may have made it a bit hard to get to since it's free. I think you can pay for a longer (3 or 10 year?) certificate from them if you'd rather.
IN THEORY, they don't keep your private key after you collect it, so IN THEORY nobody can read stuff you encrypt. But that all depends on whether or not you trust Comodo.
I had to use this a few years ago at a place I worked because they required us to email our mileage claims signed. This makes it impossible to argue over mileage being altered by either party, since only the employee could have sent the email, and the employer could not have altered it.
After the first time you send someone a signed email, mac mail will verify future email signatures. Unsigned emails I think are not flagged. However, if the email is signed, and the signature does not match, it will pop a notice. New signatures will NOT replace existing ones unless they have expired. It's not very aggressive this way, but it does work. It's more intended for encryption than for aggressive signing.
Sometimes geeks will get together in person for a "key signing party" aka a key exchange, where everyone has their flash drives and is handing out copies of their public key to each member of the group. Getting a key from someone via email is insecure by design, as you don't know for certain that's the person you think it is, unlike meeting them in person. This method of automatically adding keys the first time you see them just being hopeful that the first time you interact with them you can trust them to be who you think they are, which is good enough for most people.
Mac Mail WILL NOT WARN YOU if your certificate expires, it will just stop signing emails. You have to keep tabs on this and remember to renew your certificate (get a new one really) every year.
Lastly, if you want to see what the encryption checkbox looks like immediately, just try to send an email to yourself. As soon as you enter yourself on the TO line, the blue encrypt check will enable and select because of course you have your own public key in your keychain. (it's always included with the p7s private key in the certificate)
(MFIF may want to consider making this process a Sticky somewhere)
