Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

email digital signatures / Certificates

I need to produce emails with digital signatures.
I understand this requires a Certificate.
I imagine our plan would be to use Office 2016 or 365 Outlook email client.

I find, GlobalSign, Identrust, Sectigo with prices that vary quite a bit.
I have NO idea what's best.
This would be for communications sent to the Veterans Administration.

Comments and suggestions would be appreciated.
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

There is no difference between certificates from different suppliers.  As long as they are in the list of trusted certificate authorities whether or not the certificate cost $1 or $1M
Avatar of hypercube

ASKER

Well, I kinda believe in competition's affect on pricing.  So it seems there must be a reason why the prices vary so widely.
Pricing aside, it appears that the user needs (i.e. wants) to use Gmail webmail.  I've set up a G Suite account so I can experiment with it.
I don't know if the information I'm seeing is "old" as is often the case with web searched info.
But some seem to suggest that web mail can't be securely signed.  And others suggest the opposite.
I don't want to waste time and money on a blind alley....

Along with that I believe we only need a secure digital signature but wonder with what I'm reading whether message encryption is separable.
My experience with encryption is that it's a PITA.

Since I have very little idea what I'm getting into here, let me explain:

Encrypted messages such as those supported through Cisco services always arrive like this:
An email arrives and it has an encrypted attachment.  One has to "join the club" in order to see the attachment.
This can be cumbersome, certainly at the beginning.
So, I'd avoid it if we can be allowed to do that.  
So, I ask this question......

What I'd like is to receive a message that is automagically confirmed to be sent from Joe Dokes; and that is all.
And, I'd like to avoid the cumbersome process of decrypting messages altogether.

I know the objectives makes sense but is it doable?  Is it normal?
Google discontinued GAME and there are several competitors in the market place i.e. zix https://support.google.com/a/answer/6105277?hl=en
Office 365 E plans can secure mail
I know that you get it David but others may be misled so I'll just comment:
- I don't need a way to paste in a text signature block.
- I don't need a way to paste in a cursive signature image.
- I need a way to certify a message with a digital/electronic "signature" that can guarantee the sender using keys, certificates, etc.
I have found that Google Suite email can support DKIM and have tested it (I think).  
It seems that DKIM is exactly what I was looking for.  Comments?
I like it in that there's no requirement for recipient coordination.  But they do have to read the header to find it / know that it is signed.
It would be great if there were a way to have the email say "this is signed" - short of adding a legend....  but that may suffice.
DKIM has absolutely nothing to do with email encryption. DKIM doesn't sign messages.
DKIM/SPF help prevent spoofing of the email address
A signed email message is prevented from any changes and it verifies that the email is exactly as sent by the sender.
David Johnson:  I don't believe that I indicated a desire to encrypt messages here.  Although, that may be of interest as I move along with this.  So, for now, encryption isn't an objective.

Since DKIM is presented as a "signature" then one might well say that it does "sign messages".  I'm not disagreeing with you, just wanting to understand better.  e.g.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=coastal-computers-networks.net; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=dE+EYaOLnDYdkAJ5VnEyENQXi8tSX79GfcCAOAY0iw0=;
        .........
         eszA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=dE+EYaOLnDYdkAJ5VnEyENQXi8tSX79GfcCAOAY0iw0=;
        .....
         nf9Q==

Open in new window


So, it appears that I'm missing something....

Thanks
Line 1 of your question: I need to produce emails with digital signatures.
David Johnson: I'm sorry, that's just too cryptic for me.  
I guess I should take the hint and figure out why you equate digital signatures with encryption.  
Well, I relate encryption with public and private keys.  And, as I get it, DKIM uses public and private keys.  
So, I'm still missing the point.
I admit, I started referring to Certificates without knowing how they might play into this objective.
If I knew the answers I wouldn't be asking.
I think what you are referring to is getting the little lock shown in outlook. https://www.globalsign.com/en/secure-email/

For GSuite, you would have to have the enterprise edition https://support.google.com/a/answer/6374496?hl=en.  

Take a look at the GSuite help docs on security https://gsuite.google.com/faq/security/ and see if what is already being done is helpful

DKIM is something different and more about preventing spam and spoofing.  Start here https://support.google.com/a/answer/174124?hl=en You will want to use both DKIM and SPF. This will be adding information to your DNS. You will do this in your admin panel and if you have a well known registrar such as godaddy, there is an option to use their api where you authorize godaddy to interact with Google and all of this is generated through a wizard.   In any case, nothing you need to do with a certificate for DKIM or SPF.
Thanks folks!  
Well, I'm back at this issue now.  
I set up a GSuite account because it was supposed to provide what I need.
Now they are telling me that they don't provide....
????
I'm going around in circles it appears.
Either this is a common capability or it isn't.  Either way, I need it.
I am clearly not "checked out" with the lingo in this regard - so it's hard for me to convey my needs and understand the answers.
Just focus on the first sentence in your question.

I need to produce emails with digital signatures.

This means different things to different people and that is the cause for confusion.

Can you describe what you mean by a digital signature?  
https://support.office.com/en-us/article/secure-messages-by-using-a-digital-signature-549ca2f1-a68f-4366-85fa-b3f4b5856fc6
A digital signature attached to an email message offers another layer of security by providing assurance to the recipient that you—not an imposter—signed the contents of the email message. Your digital signature, which includes your certificate and public key, originates from your digital ID. And that digital ID serves as your unique digital mark and signals the recipient that the content hasn't been altered in transit. For additional privacy, you also can encrypt email messages.
Scott Fell:  Thank you!

I perhaps should have said what I *don't* need:
- I don't need an automatic text signature block at the end of the message.
- I don't need a signature image at the end of the message.

I need what you described - provide assurance to the recipient that you - not an imposter - signed the message.

Additionally, the User has specified Google Mail must be used.  This requirement came later but that's what they want.
Fred, That is what I thought.  I pointed out here https://www.experts-exchange.com/questions/29136552/email-digital-signatures-Certificates.html?anchorAnswerId=42808145#a42808145 that for GSuite, you have to be on enterprise / enterprise education level.
ASKER CERTIFIED SOLUTION
Avatar of Scott Fell
Scott Fell
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you both!  As a result of the discussion, I was able to at least implement digitally-signed emails from my Outlook installation.
Having done that, it's much clearer how the pieces of the puzzle fit together - which is what I was wanting to know.
In the meantime, the customer tells me the VA rather lost interest in their own "requirement".  Ah well.....