SensorNet and Digital Certificates

Using Secure Email with Netscape 7.x and Mozilla

We strongly recommend that you use Netscape 7.x, or (preferably) Mozilla or the Mozilla separate browser Firefox and mail client Thunderbird to do your browsing and e-mails. Internet Explorer and Outlook have numerous security problems and are not very good at handling digital certificates.

Retrieving Other People's Digital Certificates
By now, you probably know that in order to send secure (specifically, encrypted) email to an individual with a SensorNet Certificate, you will need their public key (contained within their digital certificate). How do you get their public key? Well, at SensorNet, we store people's certificates in our online directory (LDAP). You can easily retrieve their certificates via the directory and place them into your computer. Listed below are the steps on how to do this.
First, we're going to make a new directory in Mozilla Mail's Address Book. Select "Address Book" from the "Windows" option in the menubar (see Figure 1.).
Open Address Book
Figure 1.
In the Address Book window, on the top menubar, click on "File", then "New", and then "LDAP Directory", as shown in Figure 2.
Making a new LDAP Directory entry
Figure 2.
Type SensorNet LDAP Directory Server into the "Name" field, and for "Hostname" (as illustrated in Figure 3). It is important to put in the correct base DN (distinguished name) for the directory: dc=sensornet,dc=gov with no spaces in it. Also check the Use secure connection (SSL) box and the port should change to 636.Click on "OK" when you are finished. Then click OK to close the Address Book window.
LDAP Directory properties
Figure 3.
You should now be back at your Mozilla Mail window. Now, click on "Edit" and then "Preferences". (see Figure 4)
Edit Preferences
Figure 4.
In the "Preferences" window, choose "Addressing" underneath "Mail & Newsgroups" in the left pane. On the right hand side, check the box marked "Directory Server" and select "SensorNet LDAP" in the drop-down menu. Click on "OK" when you are finished. (see Figure 5)
Address preferences
Figure 5.
Congratulations! Your Netscape/Mozilla email program is now set up to search the SensorNet LDAP directory for people's digital certificates. You will see this in action when you go to compose secure email.

An Alternate Method...

There is also another method of retrieving a person's digital certificate. Anyone who sends you a digitally signed email will have their public key automatically added to your list of certificates when you open their email. You can tell if the email that you've received is signed by the presence of the "Signed" icon in the upper right-hand corner of the email. (See Figure 6)
Digitally signed e-mail
Figure 6.
You can verify the sender's digital signature by clicking on the "Signed" icon. You'll see a verification window appear which will state that the message was digitally signed. Also, you will soon see that the sender's public key has been automatically added to your list of Other People's Certificates. (see Figure 7)
Security verification
Figure 7.
From the main Netscape 7 Mail window, click on "Edit" from the top menu, then select "Preferences", and then look at the left-hand pane. Select "Privacy & Security", and then "Certificates". On the right-hand pane, click on the "Manage Certificates" button. (see Figure 8)
Managing certificates
Figure 8.
In the Certificate Manager window, click on the "Other People's" tab at the top. You should now see the certificate of the person who sent you a signed email appear in the "Other People's" window. This enables you to send the person encrypted email (read below for more information). (see Figure 9)
Other people's certificates
Figure 9.

Encrypting Email
Now that you have your recipient's digital certificate in your computer, it's very easy to send an encrypted email. Go to compose an email as you normally would. However, before sending it, click on the little arrow next to the "Security" button, and select "Encrypt This Message" from the drop-down menu. (see Figure 10)

Then send the email as you normally would. The recipient will then be able to decrypt the email when s/he receives it by entering the passphrase to his/her private key when prompted.
Encrypting e-mail
Figure 10.
Please note that if you do not have the recipient's digital certificate in your browser's database, or if their certificate cannot be retrieved from the LDAP server, you cannot send encrypted email to them. If you try, you will see an error message (shown in Figure 10a) which will notify you that you do not have the recipient's digital certificate. At this point, you may choose to either send the email un-encrypted, or cancel the message altogether. Please read the above section entitled "Retrieving Other People's Digital Certificates" if you wish to send them an encrypted email.
Unable to find certificate message
Figure 10a.

Digitally Signing Email
Digitally signing email is similar to the procedure outlined just above for sending encrypting email. The only difference is that you will have to choose "Digitally Sign This Message" from the "Security" button drop-down menu before sending your message. (see Figure 11)
Signing mail
Figure 11.
When you are ready to send your digitally signed email, you will be prompted to enter the passphrase for the "bag" that holds your digital certificates (see Figure 12). You may be asked to enter your passphrase twice. After you enter it, your email will be sent, digitally signed.
password request
Figure 12.

Encrypting and Digitally Signing Email
You can send email that is both encrypted and digitally signed as well! To do this, you must make sure that before sending your email, both the "Encrypt This Message" and "Digitally Sign This Message" options from "Security" are checked (see Figure 13). You must have already retrieved the recipient's digital certificate onto your computer (please read the above section entitled "Retrieving Other People's Digital Certificates" if you haven't done so), and you will also be prompted to enter the passphrase for your digital certificate (see Figure 12). After you have done so, the email will be sent to the recipient encrypted and digitally signed by you! A digital signature provides some measure of non-repudiation for the message (assuming that your computer has not been hacked).
Encrypted and signed e-mail