Privacy, Integrity, and Authenticity
(At this point only SSL and some authentication are used. Full
authentication/authorization and signing are mostly not available. 2011)
Privacy and authenticity of email have been sorely neglected -
there is at present essentially none. Methods already exist to
secure the data connection and authenticate senders, and hence to verify the
originator. Only the effort of deployment stands in the way. The
rapid advent of wireless network connection makes these measures more
Privacy can be obtained by securing the connection between an Email client and its mail server with Secure Socket Layer (SSL). Qualcomm Eudora,
Microsoft Outlook, and other email clients now support SSL connections
to their email servers, as do many Web based email providers.
Authenticity and integrity can follow from the SSL secured
connection by using authenticated sending of email and then signing of the
email by the email server. Recipients can verify the signature and
be assured that the email originated from the authenticated sender and has
not been modified or damaged. Or the email
server could verify the signature and put the incoming email in a
Validated/Authenticated mail box. for imap users.
The advantages for email are the same as for SSL web
- The server is securely identified by its server
- The email traffic is private between the email client and
the server because the data traffic between the two is encrypted.
- The logon account name and password are kept secret.
For more on SSL and server certificates see the report
Server Certificates and
SSL - What, Why, and Issues.
Authentication of email origination can be done by the Mail Transfer
Agent by standard AUTH methods as well
a specific methods such as POP-before-SMTP.
The server that securely receives and
authenticates the original email can cryptographically sign the email
headers and body. Subsequently anyone viewing or deciding to relay
the email can verify that the originator was authenticated and that the
email has not been altered since it was received.
The digital signature can use the same Public Key
cryptography as the email servers PKI Certificate used for the SSL
connection, or other signing/verification methods.
Received email signatures could be validated
either by the email client or by the email server (or both). The
email server could direct validated / authenticated messages to a special
imap mailbox, etc.
13 Apr 2016 12:25:02 -0700