Manage Learn to apply best practices and optimize your operations.

Digital certificates and webmail

In this Ask the expert Q&A, our application security expert analyzes whether or not you can use digital IDs and certificates with webmail. He also discusses how and where to secure these devices to ensure your e-mail system is secure.

Is there a way to use Digital IDs and certificates with webmail?

Unfortunately, this is not an option. In order to digitally sign or decrypt your messages, the private key (which...

is part of your digital ID) has to be installed on the PC you are using to access your webmail. Theoretically, this would be fine if you only accessed your webmail from your own PC. However, one of the main advantages of webmail is that you can access it from any Internet-connected PC. If you installed your digital ID on every public computer you used, you would soon find others using it to impersonate you. This would destroy the whole concept of a digital ID, as it is supposed to be "tied" to its owner. This is why current webmail programs, like Hotmail and Yahoo, are unable to handle digital certificates or encryption. So, for now you will have to use an e-mail program such as Outlook Express if you want to sign, encrypt and decrypt your e-mail. If you read your e-mail using a Web browser, it is likely to simply ignore the certificate and just show an smime.p7s attachment. The e-mail displays like any other e-mail but you won't know that it has been digitally signed.

You don't have to store your digital certificate and keys on your PC's hard drive. You can use a floppy disk or other removable media, such as a USB key or smart card. In the future, popular webmail services may be able to detect if your digital ID is stored on removable media and therefore allow it to be used. However, unless there is huge demand from the public for such a service, I doubt it will appear any time soon even though it already exists for enterprise Intra and Extranets. The latest version of Outlook Web Access supports S/MIME e-mail, for example. The user must either be using the PC that stores their digital certificate or activate the removable device on which it is stored to make the certificate available to the browser. For example, if you were using a smart card you would need to insert it into a reader and enter the Personal Identification Number (PIN) before the certificate could be used.

There are also mail applications for organizations that wish to exchange secure e-mail with external customers and partners who do not have certificates or S/MIME capabilities within their own e-mail applications, such as Entrust's Entelligence WebMail Center.


Related Information

  • Attend SearchSecurity.com's E-mail Security School and learn how to secure your e-mail systems
  • Learn how digital certificates are used to secure public key transport
  • Visit our encryption resource center for news, tips and expert advice.


This was last published in September 2005

Dig Deeper on PKI and digital certificates