I've always been troubled by the prospect of creating and issuing
certs for our customers. It seems like a giant security hole in that I
would know there passwords and actively possess there certificates.
Would it be possible to make the CA so a client could create the cert
without an admins intervention? For example they log onto the box with
some passphrase we supply (we don't want everyone using our CA) and
create and download their own cert. Maybe the certs are stored and sent
encrypted by whatever password the client chooses?
Just a thought.
[mailto:email@example.com] On Behalf Of Martijn Brinkers
Sent: Wednesday, May 27, 2009 2:52 PM
To: Scott Chapman
Subject: Re: [Djigzo users] Customer experience
Djigzo currently supports two encryption modes: S/MIME (using
certificates) and PDF. S/MIME is a widely supported email encryption
standard1. S/MIME is natively supported by most common email clients
like Outlook, Outlook express, Windows Mail, Lotus Notes, Thunderbird,
Evolution, Apple Mail, Blackberry etc. The only requirement, apart from
a S/MIME capable email client, is that the end-user needs to have a
certificate. A new version of Djigzo, which will be released next week,
will contain a CA server that allows you to securely issue certificates
(and keys) to end-users. Certificates will be sent via a password
encrypted PFX file which can be imported into your email client.
A big advantage of issuing certificates to end-users is that Djigzo
functions as a "key escrow". If an external recipient looses the
certificate and private key because of a system crash and forgot to
create a backup the recipient can no longer decrypt incoming email.
Because a backup of the certificate and key is stored on the Djigzo
server the system administrator can securely sent a new copy to the
An advantage of using S/MIME is that the message itself is secured and
only stored client side and once you setup the certificates it's pretty
transparent. You send and receive email using your normal email client.
The disadvantage is that even though importing a PFX file into your
email client is pretty simple (and it has to be done just once), it can
be problematic for some users.
PDF encryption can be an alternative for situations where the end user
does not want or cannot install a certificate. It's not as transparent
as S/MIME because the original message gets converted to a PDF
(including all attachments). This PDF is then encrypted with a password
and attached to a new standard message (based on a template). This
standard message does not contain any information other than a general
note that the message contains an encrypted PDF. Because the message
itself is encrypted the message content is only stored on the clients
The problem with any email encryption solution, and one that cannot be
solved, is that there has to be some sort of 'key' negotiation process.
With a web bases approach like Zixit and Voltage the end user needs to
create an account. With a password encrypted PDF or a password encrypted
certificate (and key) file the end user needs to know the password etc.
With Djigzo, passwords can static or randomly generated. The static
password has to be sent to the end user in a secure way (it has to use a
different communication channel than email). Djigzo has a built-in SMS
gateway that allows your to sent the passwords automatically to the end
user via a SMS Text message. The password is sent over a different
channel than the encrypted email. Getting hold of just one piece of
information, either the password or the email, is not enough to read the
Whether a web based approach, like Zixit, is a better user experience
depends on your end users. A web bases approach can be easier, because
it's just like opening Hotmail, but not as secure as encrypting the
Now what I have written are all just words :) so if you want I can sent
you a few example messages to show how it really works.
Scott Chapman wrote:
We are currently using Zixit and looking for an
alternative. With Zix
a customer is sent an encrypted email they receive a
link to a website
they create an account and then see the email. What
is the customer
experience with Djigzo?
Djigzo open source email encryption gateway www.djigzo.com
Users mailing list