Encrypting email – it always necessary certificates?

Not every email address with which you want to exchange secure email, have a valid certificate. In this case, to ensure secure and reliable communications can be used encryption on passwords basis. And email gateway must be protected in this case. The recipient receives a confidential message in the form of a password-protected attachment: a PDF, HTML or ZIP.

Email certificate – is a good way to protect sessions?

Another common option to encrypt the password database – an HTTPS-protected Web-email box created on the fly. This allows companies to create fast-protected communications with the recipient. Create accounts for third-party users and password management is done automatically, with no load stays on the staff. To ensure the highest level of security, you must enter the PIN-code, which is needed to activate account. PIN can be sent as a text message.

The use of ad hoc certificate – security and practical issues

Another way to secure communications with the recipient – offer ad hoc certificates. Although this approach may seem viable in practice it is not so good. When you send secure emails, sender organization operates as a Certification Authority and issues certificate on the fly for the recipient. With simple certificate management solutions that do not have access to emails, you can avoid the delay when sending emails.

In this case, the recipient has an encrypted message, a private key and certificate. The problem of the method is that the PKI infrastructure remains aside in this situation: the private key is not secret, because one company already knows it. The certificate and private key are transmitted on the same channel that does not meet the security requirements of the PKI.

Unsupervised transfer of ad hoc certificates

The problem faced by many owners of certificates – the uncontrolled proliferation of ad hoc certificates that have been discussed above. PKI Member usually has only one or two certificates. They are used for all communication partners. Analogy – a phone number where you can contact by your partners. However, if there are a large number of companies, creating certificates for message recipients, the person will receive a certificate from each partner. How do you know which key to use and when? If the person to whom the certificate was handed over, permanently signed emails, a certificate will be constantly extended and ultimately chaos will come. Certification Authorities required for validation, do not exist and therefore have nowhere to seek help.

Another problem that can happen in the B2B sector – if there is a Windows update on the client side, all the keys from the local store will be lost. And because these keys are not known to the central IT-department of the company, then the keys and certificates are not restored. Pseudo PKI, which are part of shadow IT, violate the regulations of the company.

Problems also occur when transmitting private data to end-users (b2C). Users are forced to use technologies that they do not understand. Using webmail providers is the easiest thing for people. Generate ad hoc certificates are usually limited SMIME standard, but webmail providers do not support this technology. Attempts by the data communication will lead to serious delays.

Issued ad hoc x.509 certificates for external communication partners, the company imposes on the role of the certification center. As the EIDAS, the company becomes a service of trust, which imposes on it certain legal requirements. In Germany currently being developed strong requirements to be imposed on the issuing companies.

Even if your encryption products have the technical ability to issue certificates to third parties, we believe that the encryption based on passwords for recipients – is a good option.