“A nearly impenetrable thicket of geekitude…”

S/MIME Certificates

S/MIME is an e-mail security technology that is supported by most desktop e-mail applications (Outlook, Thunderbird, the Mac OS X Mail application, etc.) without requiring the installation of plug-ins in the way that PGP does. Unfortunately, it is not in general supported by on-line mail services such as Google Mail.

I normally digitally sign all my e-mail so that anyone can tell if it is authentic. You don’t need to do anything to get this verification other than to be running an e-mail client that supports S/MIME.

You can also use S/MIME to encrypt mail you send to me. To do that, you need to have access to my current S/MIME certificate. Your e-mail application will normally remember any certificates that it sees in incoming mail for later use, so if your client has ever seen signed e-mail from me, you probably already have a copy of my current certificate. This is one of the main reasons I sign my e-mail whenever possible.

In most e-mail clients, you can tell if you have a certificate for a particular recipient fairly easily by simply enabling encryption: if you don’t have a certificate for them, you won’t be able to do that. Alternatively, you can normally poke around in your e-mail client to see which certificates it has already collected. In Thunderbird, for example, if you look in the advanced preferences “Certificates” tab, using “View Certificates” and looking under “Other People’s” gives you a list of all the S/MIME certificates that Thunderbird has already collected.

If you need to send mail to me and for some reason don’t have my current S/MIME certificate, the most secure way of acquiring it would be to ask me to sign an e-mail message to you, and allow your e-mail client to collect the certificate that way.