Email Encryption and Signature Services FAQs

• Core Questions
• Mailbox Setting
• Email Management
• Certificate Management
• Contact Setting
• Account Management
• Pro Edition
• Key Management
• Email Gateway
• Other Questions

• 1. There are 3 different editions of email encryption and digital signature services. What are the differences?

  +

  Email encryption and digital signature services provide users with 3 different edition services: Free Edition, Starter Edition and Pro Edition. At the same time, it is divided into personal service and business service according to the different user types. There are free services and charged service. The specific differences are:

  1. (1) Free Edition:
     Provide users with basic-level email encryption and digital signature services. It is completely free forever and automatically configures the MeSign trusted signing certificate and encrypting certificate that only contents email address.
  2. (2) Starter Edition:
     A publicly trusted Vp Email Certificate is added to the Free Edition. MeSign APP will use this certificate to digitally sign emails by default, then other email clients will display “The digital signature is trusted”.
  3. (3) Pro Edition:
     The user’s identity validation is added to the Starter Edition with auto-configure publicly trusted Vp Email Certificate. After the validation is completed, the MeSign trusted signing certificate containing the user’s identity information are automatically configured for free.

• 2. Why emails need to be encrypted, digitally signed and timestamped?

  +

  The first email started around 1965, and it has a history of 55 years up to now. It has been 23 years that the Email has been widely used after Microsoft acquired the first free email service provider - Hotmail in 1997. Email used to be the largest traffic and most commonly used application on the Internet, and same to the HTTP protocol, the transmission of email is also in cleartext, and each email is like a "postcard" transferred and stored on the Internet. People will never write the confidential information on the postcard, but almost all confidential information related to our works and life is sent in email in cleartext like postcard, this is an incredible strange phenomenon.

  In other words, email is a must for our work and life, but email is like a "postcard" (sent in cleartext). It is very unsecure, because the content of the email is very easy to be illegally stolen and tampered with during the transmission. Especially, more and more enterprises have migrated their email system to the cloud, using the cloud email service. Then how to ensure that the email content stored in the cloud will not be illegally used and fully compliant has become an urgent challenge that wait to be solved.

  Due to the importance of email in our work and life, the International Standards Organization issued the S/MIME protocol for email encryption and signature in 1995, supporting the use of PKI digital certificates to encrypt email and sign the email. Currently, some of the commonly used email client software supports using S/MIME certificate on email encryption and digital signature.

  Currently, the widely used encryption technologies on email is TLS/SSL protocols designed to provide communications security between email clients and email servers. If all the email servers on the communication network are all deployed TLS/SSL protocols, then email encryption on the entire process can be guaranteed. But if one of the email servers on the communication network does not deployed TLS/SSL protocols, then the email will be transferred in cleartext between email servers. Even if all email servers deployed TLS/SSL encryption technology, this only guarantees the email is secure on the email transmission process, and it still cannot guarantee that the cleartext email is secure when it is stored in cloud server permanently.

  In order to truly ensure the confidential information in the emails is secure, in accordance with requirements of the relevant compliances, S/MIME international standards must be used to implement end-to-end email encryption. The email should be encrypted into ciphertext by a certificate before leaving the email client, and only in this way, the email security in transit and at rest do not depend on the TLS/SSL deployment on the email servers.

  Given that the flooding of fraud emails currently, the only solution to solve the email fraud is to attach a trusted identity on every email by digital signature. It is because the digital signature cannot be counterfeit and forged, especially after the identity validation of the email signer has been completed. The real sender name and the organization name will be displayed on the email client to sure the receivers can confirm the sender’s identity easily to avoid being fraud by the fake identities.

  Currently, the widely adopted S/MIME standards for email encryption and email signing does not support timestamp signing, but MeSign believes the emails in the digital world should have a timestamp which is same to a postal mail. Therefore, MeSign innovatively designed that to attach the timestamp signatures on the email digital signature replacing the untrusted time on the email servers. MeSign email timestamping services is a free supporting service for MeSign APP users, and the timestamp signatures can be used as a proof evidence in different application scenarios, because the signed time cannot be tampered with, counterfeited or repudiated.

  MeSign has optimized the performance on the RFC 3161 standard timestamping technologies, making the timestamping data only has 12% of the standard timestamp signature data (reduced by 88%), which is more suitable for mobile applications and quick validation of the timestamp signatures. At the same time, we add a technical protection measures on preventing the original timestamp signature from being overwritten, which effectively guarantees the original timestamp data will not be replaced, so that truly ensures the authenticity and non-repudiation of the email sent time.

  Just like postal mail must be postmarked, the e-mails should also be time-stamped, and currently MeSign is the only one can do it for you in the world!

• 3. What is the special advantages between MeSign APP and other email client software?

  +

  Currently, there are many email clients in the market that can be used to receive and send emails, and they are the essential software especially for businesspeople. However, these email clients do not support automated certificate encryption, some of them supports to configure the certificates manually, and the others do not support certificates encryption at all.

  MeSign APP is also an email client software, compatible with the other e-mail client software commonly be used currently, and compatible with other email client software that supports S/MIME standard on email encryption and digital signature. Its unique advantage is that MeSign APP automated the whole process of S/MIME certificate deployment and applications including:

  1. (1) encrypt all email as default with free email certificate automation.
  2. (2) get a free email encrypting certificate and signing certificate from CA automatically.
  3. (3) install and configure the email certificate automatically.
  4. (4) exchange of public key automatically.
  5. (5) encrypt all outgoing email automatically.
  6. (6) digitally sign all outgoing email automatically.
  7. (7) decrypt all incoming encrypted email automatically.
  8. (8) renew the expired certificate automatically.
  9. (9) retrieve and install the email certificate automatically once you install MeSign APP in a new device.
  10. (10) all outgoing email not only have digital signature, but also with trusted time stamp signature.
  11. (11) configure the mail server setting automatically for most email account.

  There is no need for MeSign APP users to care about the following headache things:

  1. (1) what a S/MIME email certificate is.
  2. (2) how and where to apply the email certificate and how much it cost.
  3. (3) how to install and configure the email certificate.
  4. (4) how to use the certificate for email encryption and signature.
  5. (5) how to exchange public key with the receiver.
  6. (6) how to send encrypted email.
  7. (7) how to securely store the email certificate.
  8. (8) how to export the email certificate to install it in another device.
  9. (9) how to prove the email sending time is true.
  10. (10) how to set the complex email server parameters.

  The user only needs to log into email account in MeSign APP as same as other commonly used email clients, write the email and send it, then everything will be completely automated by the MeSign APP. MeSign APP is a completely zero-touch software provides zero threshold entry to the email encryption and email signature for users.

  MeSign APP is an encrypted email client software, MeSign APP is available on Windows, MacOS, Linux, iOS, and Android system to implement cross-platform support for email encryption and signature. MeSign allows you to easily send and receive encrypted email and signed email on any PC platform and any mobile device at any time, protect your email confidential information and prevent email from being counterfeited.

  MeSign APP uses international standard S/MIME to implement email encryption and digital signature, and it is compatible with all other email client software that supports S/MIME protocol. It can encrypt and decrypt email and parse signed email. The only difference is MeSign APP can automate the whole process of S/MIME deployment, including applying for email certificates, configuring certificates, exchanging the public keys, sending encrypted and signed emails, and timestamping every outgoing email. The publicly trusted Vp email certificate automatically configured by MeSign APP has been automatically set to be able to be used by Outlook (Windows version) directly. If users want to use this Vp email certificate in other email clients, they need to export and import the certificate manually by themselves.

  As shown in the figure below, the encrypted and signed email sent from MeSign APP can also be decrypted and displayed in other email client software that supports the S/MIME standard, such as Outlook (Windows version), Thunderbird (Windows version), iPhone iMail, etc.

  
  MeSign App for iOS
  MeSign App for Windows
  Office 365 Outlook for Windows
  Thunderbird for Windows
  iPhone Mail

• 4. Why MeSign APP use S/MIME standard to implement email signature and email encryption?

  +

  S/MIME is the abbreviation for Secure/Multipurpose Internet Mail Extensions, which is an international standard protocol based on PKI technology and used digital certificates to sign and encrypt email body. In addition to email encryption, it also has the advantage of signing the email with the sender’s trusted identity information that validated by a third-party CA, so that the receiver can easily make sure the sender's authentic identity.

  Another email encryption technology is PGP encryption, it uses the encrypting certificate that generated by the sender to encrypt the email and there is no trusted identity information in the certificate, and it can be used for encryption only. MeSign thinks that PGP is not suitable for communication cross organizations and we also believe that making sure the sender’s authentic identity is as important as email encryption.

  At present, the popular email client software, such as Microsoft Outlook, Mozilla Thunderbird and Apple iMail, all support S/MIME encryption and digital signature. MeSign APP also uses S/MIME standard to sign and encrypt email so that any email client software that supports S/MIME are compatible with MeSign APP on decrypting the encrypted emails and validating the signed emails. In addition, based on the online communications, making sure the sender’s authentic identity for receivers is as important as email encryption, especially for business emails. Signed the email with the sender’s trusted identity information cannot be done by PGP technology, because PGP technology doesn’t have the users’ identity information validated by a third-party CA.

  NIST SP 800-177 "Trustworthy Email" Security Recommendation 5-4: Do not use OpenPGP for message confidentiality. Instead, use S/MIME with a certificate that is signed by a known CA. And Security Recommendation 4-11: Use S/MIME signatures for assuring message authenticity and integrity.

• 5. How to apply for a S/MIME email certificate? Free or charged?

  +

  If you want to use a certificate to encrypt email, current approach is to apply for a SMIME email certificate from a CA, and then install and configure it into the email client software. This process is a headache for users, which is the only reason why S/MIME email encryption technology has not been popularized for many years.

  However, MeSign solved this headache issue completely. With MeSign APP, you don’t need to apply the email certificates from any CA. You only need to log into your mailbox in the MeSign APP. After logging in, the MeSign APP will automatically apply for the email certificate from a CA and automatically installed and configured the certificates. The default auto-applied and auto-configured V1 signing certificates and encryption certificate are completely free.

  However, the free default auto-deployed email certificates are only trusted by MeSign APP. If you use this certificate to send signed emails to users who use other email client software, then the other email client software will indicate that ‘There are problems with the signature’ or others similar. If users like to use email certificate in our email client, users can pay for applying a publicly trusted Vp Email Certificates and MeSign APP will use this certificate to digitally sign the emails by default, then other email clients will show the details of the digital signature normally and indicate ‘This digital signature is trusted’ or similar.

  Users can buy Vp Email Certificate directly in the MeSign APP or buy it in MeSign website. Once the application is completed and paid, the globally trusted email certificate will be installed and configured for use automatically in the MeSign APP.

• 6. What algorithm does MeSign APP support?

  +

  MeSign APP supports RSA and SM2 algorithm S/MIME email certificate for email signature and email encryption. MeSign APP Chinese version uses SM2 algorithm as default, other language version uses RSA algorithm as default. All versions can switch the algorithm freely at any time.

• 7. What the operating systems does MeSign APP support? Is MeSign APP compatible with other email clients?

  +

  The MeSign APP supports Windows, Android, Apple iOS, Linux and Mac versions to implement cross-platform support for email encryption and signature. MeSign allows you to easily send and receive encrypted email and signed email on any PC platform and any mobile device at any time, protecting your email confidential information and prevent your emails from being counterfeited.

  MeSign APP adopts international standard S/MIME to implement email encryption and digital signature. It is compatible with all other email client software that supports S/MIME standards. If users have purchased the publicly trusted Vp S/MIME Email Certificate, it will be automatically configured in MeSign APP and set to be used by Outlook (Windows version) directly.

• 8. MeSign APP has already auto-configured a free email certificate for me, why do I need to apply for a charged publicly trusted email certificate?

  +

  MeSign APP will auto-configure the signing certificate and encrypting certificate when the user setup and login MeSign APP successfully, but this certificate is only trusted in MeSign APP and can be used to encrypt and sign emails between MeSign APP users. However, if MeSign user need to send signed email to the users who use other email clients, then it needs other email clients trust MeSign email certificate. In order to meet this requirement from users, users can purchase a Publicly Trusted S/MIME Email Certificate (Vp Certificate). The Vp Certificate is not only trusted by MeSign APP but also trusted by most email client software that supports S/MIME standards, such as Microsoft Outlook, Mozilla Thunderbird and Apply iMail. After the user purchased the Vp Certificate, MeSign APP will use this certificate to digitally sign the emails by default, then other email clients will show the details of the digital signature normally and display ‘This digital signature is trusted’ or similar.

  The paid publicly trusted email certificate is optional, and users can purchase it on an as-needed basis. It can be applied and paid from MeSign APP or from the MeSign website. After the application completed, the Vp Email Certificate will be installed and configured in MeSign APP automatically. As shown in the figure below, the picture on the left shows the certificate path of MeSign trusted email certificate, the right picture shows the certificate path of publicly trusted Vp Email Certificate.

  

• 9. Why is the email encryption key automatically hosted in MeSign Cloud? How can users manage their keys locally?

  +

  One of the most important reasons why S/MIME email encryption has not been popularized is that the key management is too complicated. Users not only need to apply for an email certificate from a CA, but also it requires the user to install the email certificate in email clients. It must be configured and used correctly so that they can use it, so this is definitely a thing that most users cannot accomplish. Therefore, this headache must be solved to make the email encryption popularized.

  In order to ensure that users can easily decrypt email in the MeSign APP on any devices anytime, anywhere, without having to spend time and effort to import certificates for decryption, the MeSign R&D team has studied many leading cloud key management service providers and finally adopted the same solution for MeSign users. Normally, the only one S/MIME email certificate for encryption and signature, however, in order to provide convenient service to MeSign users, MeSign split the traditional one S/MIME email certificate into two separated certificate - one encrypting certificate and one signing certificate. The encrypting certificate key is generated in the cloud and securely hosted in the cloud, and users can automatically retrieve the encrypting certificate key pair from the cloud to decrypt emails automatically after completing the validation of the email control. Therefore, this is an automated email encryption and decryption solution without manually importing the email certificates. For the signing certificate, it has the user's identity information, and the user's signature behavior has legal effect. Therefore, MeSign APP generates the keys of the signing certificate on the local device, and MeSign APP encrypts and saves the key on the local device. This is why the serial number of the user’s signing certificate on the different devices is different.

  The S/MIME email certificate is split into two certificates and adopted different key management methods according to the two different usage in email signing and encryption, which perfectly ease the use of the SMIME email encryption service and at the same time inherits the non-counterfeiting, non-camouflage and non-repudiation features of S/MIME email signature, makes S/MIME email encryption and signature technology can be used truly seamless with zero threshold. Users do not need to care about where the certificates are, just write the email as usual and click send email that it will be encrypted automatically and automatically decrypt the received encrypted emails.

  If users want to control the encrypting certificate key independently on-premise, they can purchase the MeSign Enterprise Key Management System (EKMS) and deploy the EKMS on the organization’s Intranet. With MeSign EKMS, employees can retrieve the encrypting certificate key from their local EKMS rather than from MeSign Cloud KMS, so that this can meet the demanding of users to manage their keys locally. This key can also be used to encrypt PDF documents, which makes one set of keys can be used for both email encryption and document encryption simultaneously. Please note: For key security, please ensure that the EKMS cannot be connected to the Internet, and setting up the access control, which allows employees of the organization to access the EKMS through the internal network by using MeSign APP only.

• 10. Do MeSign email encryption and document encryption solutions meet the requirement of various privacy protection compliances?

  +

  The European General Data Protection Regulation (GDPR) Article 25 requires "Data protection by design and by default". Due to the emails may contain user's confidential information, to encrypt emails has become an important technical measure required by GDPR. Similarly, various management documents may also contain user's confidential information, to encrypt documents has become another important technical measure required by GDPR. In addition, Article 34 of the GDPR also stipulates that if the user takes data encryption measures, the user can be exempted from many responsibilities once the data breach event is happened.

  In the United States, the HIPAA and HITECH regulations require the transmitting of Personal Health Information (PHI) by email must be encrypted by using digital certificates, to protect the patient privacy in order to be compliant with HIPAA and HITECH regulations. Furthermore, encrypting email is a cost-effective method of meeting HIPAA’s email retention requirements without compromising security. Since email content is encrypted prior to archiving, it is protected from disclosure regardless of the manner it is stored.

  In China, the Cryptography Law (密码法) requires that all critical information infrastructures must be protected by Chinese Cryptography Algorithm, of course, including the protection of emails and documents. Therefore, MeSign APP supports automatic configuration of SM2 certificate and use SM2 algorithm to sign and encrypt emails and documents, to meet the requirements of the Law for the protection of email and document in China.