setting up encryption certs for known parties

I am a newbie at attempting to encrypt email... always just assumed
that email was pretty much public. ;) anyway, I am attempting to enable
encryption for some attachments for which 'all reasnoable attempts at
security' must be made. i.e. anything with medical info should be
protected by HIPPA rules.

so, I am wondering what the simplest way is to set up encrypted
transimission of occasional emails between known parties. For instance
a small group of doctors and a transcriptionist.

I have experimented and gotten a free cert from thawte, and seem to be
able to send digitally signed emails. however, I seem to be in a
catch-22 where the target email gets my public key, and it shows up in
their cert manager, but then they cant send me back an encrypted email.

Do they need to get a cert too?

I thought that be getting a digital signature, they would be able to
send ME encrypted mail.... or am I missing the point, and they need a
cert as well to make it work?

thanks,

Re: setting up encryption certs for known parties

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-19872-1163031524-0010
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

botfood writes:

> I have experimented and gotten a free cert from thawte, and seem to be
> able to send digitally signed emails. however, I seem to be in a
> catch-22 where the target email gets my public key, and it shows up in
> their cert manager, but then they cant send me back an encrypted email.
>
> Do they need to get a cert too?
>
> I thought that be getting a digital signature, they would be able to
> send ME encrypted mail.... or am I missing the point, and they need a
> cert as well to make it work?

Neither. Digital signatures, and encryption, are two completely separate
things. Often the two go together, but they do not have to be.

Sounds like you're using some kind of a certificate that only provides for
signing capabilities, but not encrypting. There are different kinds of
certificates, and signatures. I am not really familiar with the proprietary
crap that some commercial entities, like Verisign, push. I prefer to use
PGP for both signing and encryption. It's free, and it's well supported by
free software, and I don't need to beg anyone for a certificate.

For the situation you described, PGP is a _perfect_ solution. Each one of
your group of users would create their own key, you all sign each other's
keys, and use them to swap signed/encrypted mail.

The only glitch is that whatever mail software you're using, it has to
support the OpenPGP standard. Most free software does. But you're probably
using non-free software from Microsoft to read and write mail, which is
allergic to free and open standards. Good luck.



--=_mimegpg-commodore.email-scan.com-19872-1163031524-0010
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFUnPkx9p3GYHlUOIRAm4VAJ4ptQJMu10NO+QVHkpLL3dz5Pk0gwCf b1OB
KLK8J1cwYxWL+xNeOoTh40w=
=UOwv
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-19872-1163031524-0010--

Re: setting up encryption certs for known parties

On Nov 8, 5:18 pm, Sam wrote:
> botfood writes:
> > I have experimented and gotten a free cert from thawte, and seem to be
> > able to send digitally signed emails. however, I seem to be in a
> > catch-22 where the target email gets my public key, and it shows up in
> > their cert manager, but then they cant send me back an encrypted email.
>
> > Do they need to get a cert too?
> ----------------------------------------------------------

after some experimentation and eventual success, I can answer my own
question. thought I'd post for anyone else interested.

turns out that yes indeed, both parties need to have their own
certificates. before sending encrypted mail, they have to send each
other digitally signed mail, which carries the public keys. I use
Mozilla 1.7.13.... because I am allergic to Microsoft. Mozilla
automatically stores the public keys, and after that, you can send
encrypted mail without a hitch. All the new email seems to support
SMIME, so its all automatic.

I got free email certs from thawte.com , and while they are sorta
generic in that they dont have MY NAME attached, it works fine between
trusted parties when you are expecting to swap certs.