Home>Introduction of Email Certificates Usage in MeSign APP

Introduction of Email Certificates Usage in MeSign APP

1. The state of email encryption

As most people know, emails in MIME protocol are in cleartext which are unsecure, so emails need to be encrypted by using S/MIME certificate. This is like the unsecure http, which needs to be secure by switching to the HTTPS. However, the process of deploying and using certificates for email encryption is very cumbersome, which leads to the truth that S/MIME encryption has not always been popularized. Then how to solve this issue? Please refer to Email Digital Signature and Encryption Automation Solution for more details.

Throughout our years’ experience with our customers, we found the traditional way of deploying S/MIME for email encryption is very inefficient, complicated, and provides poor user experience. Therefore, we decided to develop an email client - MeSign APP, to make S/MIME easy to use and accessible to everyone. Email certificates are configured automatically once users log in their email accounts in MeSign APP, and MeSign APP encrypts every email by using the certificate for users automatically. MeSign APP is a tool which helps users with certificate applications, certificate configurations, certificate usage, and certificate management. Although users have started using email certificates in MeSign APP, we have not introduced the usage of different email certificates in MeSign APP, and even we originally designed not to display users’ certificates on the user interface.

However, it is difficult to change the way that users have been using for 20 years, especially for users who have already applied for the email certificates. To help users to understand the roles of our email certificates, here is an introduction to the functions and purposes of different email certificates used in MeSign APP.

2. What types of email certificates are used in MeSign email digital signature and encryption services? Why do we need to use so many kinds of certificates?

At present, the S/MIME email certificates selling by the world's major well-known CAs are all single certificates (.pfx/.p12). The usage of the certificate includes encryption and digital signature, one certificate can be used for both digital signature and encryption of emails. This is used for exchanging the public keys for email encryption while sending the signed email so that the other parties can automatically use the public key to encrypt emails.

Our R&D team found that the reason why S/MIME encryption cannot be widely used is that the key management is too complicated, and the exchange of public keys is too troublesome. Therefore, we decided to learn from the cloud key management mode provided by major cloud service providers to host the private keys of the encrypting certificate in the cloud, so that users can retrieve the keys to encrypt and decrypt emails on demand at any time. With this solution, users can send encrypted emails and read decrypted emails as easy as sending and reading the normal emails without exchanges the public keys with all the parties you communicate with in advance. The traditional email certificate is a single certificate, which means that the user's private key of certificate used for email signature must also be hosted in the cloud, which makes it impossible to convince the users of the controllability of the email signature behaviour. What to do?

Our solution is to split the traditional email certificate into two certificates, one is signing certificate, and another is encrypting certificate. The keys of the encrypting certificate are generated in the cloud and securely encrypted and stored in the MeSign Cryptography Infrastructure. The keys of encrypting certificate can be automatically retrieved from the cloud to automatically decrypt the encrypted email, after the user log in their email account in MeSign APP successfully which means MeSign verified that the user has the right to control this email account. So, with MeSign APP users realize automatic email encryption and decryption without applying for and importing the email certificate manually and repeatedly for different devices. When the user sends an encrypted email, MeSign APP will automatically retrieve the public key of the recipient to send encrypted emails, so that users do not need to exchange public keys in advance, which truly realize a senseless automatic email encryption and decryption. Since the signing certificate contains the user's identity information, the user's signing behaviour has legal effect. Therefore, the signing certificates are designed to be generated and saved on the local device securely. We can also regard the signing certificates as an identity certificate for each device. Each device generates a new signing certificate when using the MeSign APP. This is why users can see that the serial number of signing certificate on different devices in MeSign APP are different.

We adopted different key management modes for signing certificates and encrypting certificate based on their functions and usage, which completely makes S/MIME easy to use and accessible. At the same time, our solution inherits the characteristics of non-counterfeiting, non-forgery and non-repudiation of S/MIME email signature, truly making S/MIME an email encryption technology for everyone. We make email certificate and encryption keys easy to be managed by users, so users can send encrypted emails and decrypted emails automatically as easy as dealing with normal cleartext emails.

In summary, there are three types of digital certificates used by MeSign APP:

  1. (1) Traditional dual-usage (signature and encryption) digital certificates, referred to as "email certificate", which are compatible with the publicly trusted email certificate provided by all publicly trusted CA.
  2. (2) The certificate only used for digital signature; it is called "signing certificate”.
  3. (3) The certificate only used for encryption; it is called "encrypting certificate".

For the signing certificate, if the user only completes the email validation, the automatically configured signing certificate is called "Email Signature Certificate" or simply as "Signing Certificate". If the user has completed identity validation, then the auto-configured certificate is also called "Identity Certificate". For personal users, the signing certificate that is automatically configured after passing the individual validation is called "Personal Identity Certificate" (previously called V2 signing certificate). For organization users, the signing certificate that is automatically configured certificate for all employee after the organization completes the organization validation is called "Organization Email Certificate" (previously called V3 signing certificate); the signing certificate that is automatically configured after organization employees complete the employee identity validation is called "Organization Employee Certificate" (previously called V4 signing certificate).

In addition, MeSign Technology’s global original creation attaches a timestamp signature when digitally signing emails, so a timestamp signing certificate is also used.

You can see that MeSign APP uses 7 different types of digital certificates (Encrypting Certificate, Signing Certificate, Personal Identity Certificate, Organization Email Certificate, Organization Employee Certificate, Vp Email Certificate and Timestamp Signing Certificate). The specific uses of different certificates are explained in detail in the next section.

3. Different email certificates usage

3.1 Encrypting Certificate

After user successfully setup email account in MeSign APP, MeSign APP will automatically apply for an encrypting certificate from the MeSign certificate issuance system, then distribute and configure it for MeSign APP use automatically. User can immediately send encrypted emails and decrypt encrypted emails without applying for an email certificate from other CAs. The encrypting certificate only validates the control of the email address. Each email address is bound with only one encrypting certificate, so the same email address uses MeSign APP on multiple devices have the same encrypting certificate, so that all devices can decrypt the encrypted emails sent by each device.

User can view the encrypting certificate in the "Settings"-"Certificate Admin" of MeSign APP. As shown in the left figure below, there is an encryption lock icon in front of the certificate information. Click "View Certificate", user can see that the certificate key usage is " Key Encipherment" which means the certificate be used for encryption, as shown in Figure 2 below. If user view it in Windows, as shown in Figure 3 below, the certificate subject only displays the user’s email address, and the key usage is "Key Encipherment (20)”, as shown in Figure 4 below.

Encrypting Certificate Encrypting Certificate Encrypting Certificate Encrypting Certificate

3.2 Four Signing Certificates

(1) Signing Certificate

After user successfully setup email account in MeSign APP, MeSign APP will automatically generate a key pair locally on the user’s device and generate a certificate signing request and post it to the MeSign certificate issuance system to apply for a signing certificate automatically, and MeSign APP retrieves and configures it for use automatically once the certificate is issued. User do not need to apply it from other CA, the signing certificate can used for sending signed emails immediately. This certificate is called “MeSign Signing Certificate” or “Signing Certificate” that is auto-configured for the MeSign Free Edition service users for free, which only is validated the email control, so the certificate subject only displays the email address. If user use MeSign APP to log in to the same email account on multiple devices, each device has a different V1 signing certificate, which is not only used for digital signatures of emails, but also a device security certificate used to bind the device used for identity authentication and encrypted communication with MeSign cloud system.

User can view the signing certificate in "Settings"-"Certificate Admin" in MeSign APP, as shown in the left figure below. There is a signature icon in front of the certificate information, MeSign APP use V1 icon for this certificate. Click "View Certificate", user can see that the certificate key usage is "Digital Signature, Non-repudiation”, as shown in Figure 2 below. If user view it in Windows, as shown in Figure 3 below, the certificate subject only displays the user email address, and the key usage is “Digital Signature, Non-repudiation (c0)".

Signing Certificate Signing Certificate Signing Certificate Signing Certificate
(2) Personal Identity Certificate

If a personal user purchased the Personal Pro Edition, MeSign APP also automatically configure a signing certificate containing this personal’s identity information including full name, the province/state, city, and country, we call this signing certificate as “Personal Identity Certificate”, MeSign APP use V2 icon for this certificate as shown in the below pictures.

Personal Identity Certificate Personal Identity Certificate
(3) Organization Email Certificate

If the user purchased the Business Pro Edition, the MeSign APP automatically configure the signing certificate containing the company name, province/state, city, and country for all employees for free, this certificate is called “Organization Email Certificate” that MeSign APP use V3 icon for this certificate. The number of employees is unlimited. And the organization account.

It administrator needs to validate the company's email address domain name. See below figure for this signing certificate .

Organization Email Certificate Organization Email Certificate
(4) Organization Employee Certificate

If the user purchased the Business Pro Edition, of which includes 10 Organization Employee Certificates for employees. After employees complete the employee identity validation as required, the MeSign APP will automatically configure a signing certificates containing the employee name, title and company name, province/state, city, and country, we call this certificate “Organization Employee Certificate” that MeSign APP use V4 icon for this certificate as shown in the below figures .

Organization Employee Certificate Organization Employee Certificate

Why need to apply for employee identity validation? It is because the organization validation can only prove that the organization’s identity has been validated, but it cannot prove the employee's identity is validated, so MeSign APP displays only the name of the organization and without the name of the employee. Once the employee is validated, MeSign APP will automatically configure an Organization Employee Certificate and use this signing certificate to digitally sign the email, so when the recipient receives the signed email, the employee’s name and title will be displayed under the sender’s email address in MeSign APP. Then receivers are more confident about the authenticate identity of the sender. As shown in the figures below , it shows the difference between the Organization Email Certificate signed email (the left figure) and the Organization Employee Certificate signed email that displayed in MeSign APP.

Organization Employee Certificate Organization Employee Certificate

3.3 Vp Email Certificate

The encrypting certificate and signing certificate mentioned above are trusted by MeSign only. If a non-MeSign APP user, such as an Outlook user, receives a message digitally signed with a V1/V2/V3/V4 signing certificate from a MeSign APP user, Outlook will prompt a warning message such as "The signature has problems and the digital signature is invalid", which will cause the recipient to doubt the sender's identity.

Considering this compatibility issue, MeSign Technology cooperated with the world leading CA - Sectigo launched a publicly trusted email certificate - Vp Email Certificate. This certificate is issued by the Sectigo publicly trusted root certificate. The identity validation level is as same as the Free Edition auto-configured signing certificate, so only the validation of email control is required. As shown in Figure 1 below, MeSign APP use Vp icon for the Vp Email Certificate in the Certificate Admin, it is set as default signing certificate and encrypting certificate. As shown in Figure 2 below, this is the chain of the Vp Email Certificate. The certificate subject information is shown in Figure 3 below. The Vp email certificate is a single certificate, and the purpose of the certificate includes digital signature and encryption - "Digital Signature, Key Encipherment", as shown in Figure 4 below.

Vp Email Certificate Vp Email Certificate Vp Email Certificate Vp Email Certificate

3.4 Dual-certificate and dual digital signature application – V1/V2/V3/V4+Vp

Users can automatically have the Vp Email Certificate by purchasing the Starter Edition or Pro Edition. MeSign APP will automatically set the Vp Email Certificate as the default signing certificate and encrypting certificate. MeSign APP will automatically combine the publicly trusted Vp Email Certificate and MeSign trusted signing certificates containing user validated identity information to perfectly realize the dual-certificate and dual digital signature of emails, thereby realizing the global trust of digital signatures of emails and user’s identity.

As shown in the left figure below, once a MeSign APP user receive a signed and encrypted email sent by another MeSign APP user, MeSign APP will validate the identity information signed with the V2/V3/V4 signing certificate in the email and display the sender’s validated identity information. However, if the recipient uses an email client such as Outlook to view it, the identity information signed with the Vp Email Certificate in the email is validated and the digital signature of the user is trusted in Outlook, as shown in the right figure below. This solution solves the problem that signed emails sent by MeSign APP are displayed warning as invalid digital signatures in other email client and helps MeSign APP users to effectively identify the sender's true identity and completely solve email fraud problem.

Dual-certificate and dual digital signature application Dual-certificate and dual digital signature application

Let us look at how the dual signature implemented by the 4 signing certificates plus the Vp Email Certificate are displayed in MeSign APP. As shown in the left figure below, if a user purchased the Starter Edition service, MeSign APP will display the Vp icon and "Email Validated, Identity Not Validated, Digital Signature Publicly Trusted" when the signed email sent by this user. If a user purchased Personal Pro Edition service, MeSign APP will display the V2 and Vp icon, user’s full name and "Identity Validated and Publicly Trusted" when the signed email sent by this user. See below right figure.

Dual-certificate and dual digital signature application Dual-certificate and dual digital signature application

If the user purchased the Business Pro Edition, as shown in the left figure below, MeSign APP will display the V3 and Vp icon, the company’s name and " Identity Validated and Publicly Trusted " when the signed email sent by this user. If the sender has completed the identity validation as a company’s employee, MeSign APP will display the V4 and Vp icon, employee’s name, title, company’s name and " Identity Validated and Publicly Trusted" when the signed email sent by this user, as shown in the right figure below.

Dual-certificate and dual digital signature application Dual-certificate and dual digital signature application

From the pictures shown above, we know why users still need a signing certificate with validated identity information even if they have Vp Email Certificate in place. It is because Vp Email Certificate validated the user’s email address only which cannot avoid identity fraud issues. Therefore, it is necessary to add the identity certificate signature on emails to prove the user’s validated identity and improve online trust. MeSign APP exclusively adopted the technologies of dual-certificate and dual digital signature to enable digital signature and user’s identity be globally trusted.

3.5 Timestamping certificate

MeSign uniquely innovated the email timestamp signature, using the international standard RFC3161 timestamp to attach the timestamp signature data to the digital signature of the email. MeSign APP uses Timestamping certificate to identify the email attached with the timestamp signature data, as shown in the left picture below, to prove the sent time of email is not from the untrusted time on the user's computer or the mail server, but from a trusted time of MeSign timestamping service, which can be used in scenarios that need to prove the email sent time. Click on the timestamp icon, then the timestamp certificate information will be displayed, as shown in the two right figures below. The purpose of showing this certificate is for timestamp signing, and the certificate is issued by the MeSign root certificate "MeSince Identity CA".

Timestamping certificate
Timestamping certificate Timestamping certificate

4. Summary

Actually, we think it is not necessary for you to understand every details of email certificates, if you still have some doubts after reading the introduction above. It is because we believe what you need is email encryption other than email certificates.

To start email encryption, you only need to download and install MeSign APP, set up your email account , click "Compose", fill in the recipient's email address, and you can easily send encrypted and digitally signed emails to all the parties you want to communicate with right away! It's so simple!

MeSign APP