[PHP] Re: Sending Encrypted Email
On Tue, 21 Sep 2010, Floyd Resler wrote: > I used OpenSSL to generate the P12 file (I haven't actually sent this > to anyone since I'm still testing). So, I assumed that it was okay > for distribution. Perhaps not. At any rate, I like the idea of the > OpenPGP better. I'll see how to do that. Oh good, good. That should work just fine. I thought you were saying that you'd sent the webserver's keys to the end-user. There's an email encryption method called S/MIME that uses that uses certificates and such that I think is handled pretty well by Outlook (or whatever Microsoft users do their email with these days). You could also look into that. It *might* be easier for your end-users. -- Erik Arneson GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP Office : +1.541.291.9776Skype : callto://pymander http://www.leisurenouveau.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Sending Encrypted Email
On Sep 21, 2010, at 11:15 AM, Erik L. Arneson wrote: > On Tue, 21 Sep 2010, Floyd Resler wrote: >> I got it all figured out. The part I was missing was combining the >> certificate with the key and giving it to the end-user to install on >> their system. I was able to use the Web server's certificate for the >> encryption. The interesting thing is that the client wants ALL >> passwords sent via encrypted email. Of course, they need the P12 file >> installed in order to view the email and that requires a password to >> install it. > > Wait, you didn't send the webserver's certificate to the user, did you? > That's a bad idea. The email recipient should have her own certificate, > which has both a private and a public part. > > The webserver's certificate (presumably the one you have signed by the > CA), especially the private key, needs to be kept *private*, and not > sent all over the place. Using the same private/public key pair on both > endpoints defeats the purpose of PKI. You would be better off using > plain old symmetric encryption. > >> So, obviously, I can't send that password encrypted. So, my solution >> is to provide a Web page that the user gets to by an emailed link that >> has a unique identifier and the user must enter a piece of personal >> information for verification (in this case, ZIP code). Once verified, >> they are shown the password on the page. That's the only way I can >> think of to do it. Is that a good solution or does someone have a >> better way? > > I'm sure there are some good products out there to handle this. > Personally, for email encryption I always prefer the OpenPGP family of > tools (including GnuPG and commercial PGP). End-users can install PGP > on their systems, generate public keys, and then send them to the > webserver. No passwords need to be handed out---they will come up with > their own passphrases when they generate their public/private key pairs. > > -- > Erik Arneson > GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP > Office : +1.541.291.9776Skype : callto://pymander >http://www.leisurenouveau.com/ > > I used OpenSSL to generate the P12 file (I haven't actually sent this to anyone since I'm still testing). So, I assumed that it was okay for distribution. Perhaps not. At any rate, I like the idea of the OpenPGP better. I'll see how to do that. Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sending Encrypted Email
On Tue, 21 Sep 2010, Floyd Resler wrote: > I got it all figured out. The part I was missing was combining the > certificate with the key and giving it to the end-user to install on > their system. I was able to use the Web server's certificate for the > encryption. The interesting thing is that the client wants ALL > passwords sent via encrypted email. Of course, they need the P12 file > installed in order to view the email and that requires a password to > install it. Wait, you didn't send the webserver's certificate to the user, did you? That's a bad idea. The email recipient should have her own certificate, which has both a private and a public part. The webserver's certificate (presumably the one you have signed by the CA), especially the private key, needs to be kept *private*, and not sent all over the place. Using the same private/public key pair on both endpoints defeats the purpose of PKI. You would be better off using plain old symmetric encryption. >So, obviously, I can't send that password encrypted. So, my solution >is to provide a Web page that the user gets to by an emailed link that >has a unique identifier and the user must enter a piece of personal >information for verification (in this case, ZIP code). Once verified, >they are shown the password on the page. That's the only way I can >think of to do it. Is that a good solution or does someone have a >better way? I'm sure there are some good products out there to handle this. Personally, for email encryption I always prefer the OpenPGP family of tools (including GnuPG and commercial PGP). End-users can install PGP on their systems, generate public keys, and then send them to the webserver. No passwords need to be handed out---they will come up with their own passphrases when they generate their public/private key pairs. -- Erik Arneson GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP Office : +1.541.291.9776Skype : callto://pymander http://www.leisurenouveau.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Sending Encrypted Email
On Sep 21, 2010, at 1:00 AM, Erik L. Arneson wrote: > On Thu, 16 Sep 2010, Nathan Rixham wrote: >> Floyd Resler wrote: >>> I need to send encrypted email. Can I use our server's signed certificate >>> we use for Apache? >> >> Yes you can use the servers certificate, you can use any x509 >> certificate you like - however, I'd recommend checking out >> startssl.org who will give you a free smime certificate. > > But that is probably just for *signing* the email. If you'd like to > encrypt email, you will need a public key or shared secret from the > email recipient. > > -- > Erik Arneson > GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP > Office : +1.541.291.9776Skype : callto://pymander >http://www.leisurenouveau.com/ > > I got it all figured out. The part I was missing was combining the certificate with the key and giving it to the end-user to install on their system. I was able to use the Web server's certificate for the encryption. The interesting thing is that the client wants ALL passwords sent via encrypted email. Of course, they need the P12 file installed in order to view the email and that requires a password to install it. So, obviously, I can't send that password encrypted. So, my solution is to provide a Web page that the user gets to by an emailed link that has a unique identifier and the user must enter a piece of personal information for verification (in this case, ZIP code). Once verified, they are shown the password on the page. That's the only way I can think of to do it. Is that a good solution or does someone have a better way? Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sending Encrypted Email
On Thu, 16 Sep 2010, Nathan Rixham wrote: > Floyd Resler wrote: >> I need to send encrypted email. Can I use our server's signed certificate we >> use for Apache? > > Yes you can use the servers certificate, you can use any x509 > certificate you like - however, I'd recommend checking out > startssl.org who will give you a free smime certificate. But that is probably just for *signing* the email. If you'd like to encrypt email, you will need a public key or shared secret from the email recipient. -- Erik Arneson GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP Office : +1.541.291.9776Skype : callto://pymander http://www.leisurenouveau.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sending Encrypted Email
Floyd Resler wrote: I need to send encrypted email. Can I use our server's signed certificate we use for Apache? Yes you can use the servers certificate, you can use any x509 certificate you like - however, I'd recommend checking out startssl.org who will give you a free smime certificate. note: Each certificate has codes embedded which state for what you can use said certificate, although it's technically possible to use almost any certificate for anything, it's best to use one which has the correct flags set. Best, Nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php