Davin's blog Occassional posts on user experience design, faith, and family.

Overview of PGP, S/MIME and the evolving versions of secure e-mail

I just read an article by Jim Galvin, published March of 2000 in Information Security Magazine, (IN)SECURITY FROM END TO END.

The article provides an overview of the origination of secure e-mail and how the technologies have changed over the years. It also provides context for digital signatures, e-mail certificates, and PGP versus S/MIME.

Here's an excerpt from the article:

PGP vs. S/MIME, S/MIME vs. PGP. On the one hand, it really doesn't matter which of the two technologies you choose. From a user's perspective, both provide the same set of security services, and neither really has any significant advantage over the other. On the other hand, the fact that there are two choices naturally raises the question of interoperability.

Securing e-mail

Every once in a while, I get e-mails from server admins with host connection information. This tends to get under my skin, though I admit to sending similar information from time to time. The thing is, e-mail is so darned good at delivering this kind of information. The problem, of course, is that e-mail is typically not secure. So, sending information like user names, passwords or other information like social security numbers or banking information via e-mail can be a pretty serious risk.

So, today when I received yet more user names and passwords via e-mail, and then needed to pass that information on to a person I work with, I figured it was as good a time as any to look into securing e-mail.

I've known about PGP, but have had issues getting it working in former versions of Apple's Mail application. So, upon Googling for apple mail encryption or some-such phrase, I found a few helpful resources.

• MacDevCenter.com -- How to Set Up Encrypted Mail on Mac OS X
• Mac OS X 10.3: Mail - How to Use a Secure Email Signing Certificate (Digital ID)
• Personal E-mail Certificates from Thawte.com

The first link above is a walk-through on getting S/MIME set up with Apple Mail. S/MIME seems to be an alternative to PGP. The short story is that I went ahead and got a certificate from Thawte, installed it into a special keychain on the Mac, sent a signed message to my co-worker while he was doing the same. Now we have each other's public keys stored in our respective programs and we each have our own private keys, so we can send signed and encrypted e-mail to each other.

So, from here on out, I have a safer way of sending sensitive information to some select people.

And, I need to give credit to Apple's Mail application. While getting the certificates and keychain access all worked out wasn't the most straightforward task (it wasn't hard though), now that it is set up, signing and encrypting messages is very easy.