13 Signing e-mails
In Chapter 11 you learnt more about verifying the authenticity of a public OpenPGP certificate, and signing it with your own private OpenPGP key.
This chapter also explains how to sign a complete e-mail rather than only the certificate. That means applying a digital signature to the e-mail – which is a form of an electronic seal.
“Sealed” in this way, the text can still be read by everyone, but it allows the recipient to find out whether the e-mail was manipulated or modified during delivery. The signature tells the recipient that the message is really from you. And: If you are corresponding with someone whose public certificate you do not have (for whatever reason), you can at least “seal” the message with your own private key.
You have probably noticed that this digital signature is not identical to an e-mail “signature”, which is sometimes included at the end of an e-mail and includes such items as telephone number, address and website. While these e-mail signatures simply function as a type of business card, a digital signature will protect your e-mail from manipulation and clearly confirms the sender.
Besides, a digital signature cannot be compared with a qualified electronic signature, as it went into effect as part of the Signature Act (22 May 2001). However, it serves exactly the same purpose for private or professional e-mail communication.
86
The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
13.1 Signing with GpgOL
In fact, signing an e-mail is even easier than encrypting it (see Chapter 12). Once you have composed a new e-mail, go through the following steps – similar to the encryption process:
Send message with signature
Select certificate
Completing the signing process
These steps are described in detail on the following pages.
Sending a signed message
First, compose a new e-mail in Outlook and address it to the person you are writing to.
Before you send your message, tell the system that your message should be sent with a signature: To do this, activate the button with the signature pen or the menu item Format!Sign message.
Your e-mail window would then look something like this:
Now click on [ Send ].
87
The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
Selecting certificates
Just as is the case for encrypting e-mails, Gpg4win automatically detects the protocol – OpenPGP or S/MIME – for which your own certificate (with the private key for signing) is available.
If you have your own OpenPGP and S/MIME certificate with the same e-mail address, Kleopatra will ask you to select a protocol before the e-mail is signed:
If you have several certificates (e.g. two OpenPGP certificates for the same e-mail address) for the selected method,Kleopatra will open a window which displays your certificates (here: OpenPGP), each with its own private key:
Confirm your selection with [ OK ].
88
The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
Completing the signing process
In order to complete the signing process for your e-mail, you will be asked to enter your secret passphrase in the following pin entry window:
This is required because:
You can only sign with your own private key.
It makes sense, because only your own private key confirms your identity. The person you are corresponding with can then check your identity using your public certificate, which he already has or can obtain. Because only your private key matches your public certificate.
Confirm your passphrase entry with [ OK ]. Your message is now signed and sent.
Once your message has been signed successfully, the following dialog appears:
89
The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
Congratulations! You have encrypted your first e-mail!
90
The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
In short:
You have learnt how to sign an e-mail using your own certificate – which contains your private key.
You know how to encrypt an e-mail using the public certificate of the person you are writing to.
Now you are familiar with the two most important techniques for sending secure e-mails: encryption and signatures.
Of course you can also combine the two techniques. From now on, eacht time you send an e-mail, think about how you want to send it – depending on the importance and required level of protection for your e-mail:
non-encrypted
encrypted
signed
signed and encrypted (more on this in Section 13.4)
You can use these four combinations with either OpenPGP or S/MIME.
91