Thursday, July 2, 2020

Fossa Guard Pro 1.0 Personal Certificate enrollment options

Once Fossa Guard Pro 1.0 installed User has to enroll his Identity - Personal Certificate to start secured emailing. The enrollment procedure artifacts are stored into the local Chrome extension storage within userspace (see https://fossaguard.blogspot.com/2020/03/technical-details-about-chrome-extension.html for details) and consists of:
  • Private Key - you should keep privately and use to 
    • decrypt messages sent to you 
    • sign messages so that your recipients will be able to verify the signature using your Public Certificate 
  • Trusted Certificates - a chain of officially Trusted certificates that issued the Public Certificate from direct Issuer up to the Root Trusted Certificate so that anyone can verify the origin of your Public Certificate.
  • Public Certificate - the certificate your recipients should use to encrypt private messages sent to you, this certificate is also used when you're sending an encrypted message to yourself, thus it's present in Personal and in Recipient lists of certificates.
There are three main options to enroll the Personal Certificate once Fossa Guard is installed.



Import Private Key (p12, pfx)


The option valid when the User already has got a personal identity in the form of a file P12 or PFX format protected by a Passphrase (can be empty). Usually, it contains a Private Key accompanied by a corresponding Public Certificate. 
Once the user provides the correct passphrase to decrypt the imported file, Fossa Guard:

  • Checks if contained Public Certificate is valid and is issued to the email of logged User, if Yes - the Private Key assigned as the default User's identity 
  • Adds the corresponding certificate to Recipients list (so the user will be able to send encrypted emails to himself)
NOTE that there are few or no vendors providing free trusted S/MIME identities: http://kb.mozillazine.org/Getting_an_SMIME_certificate


Enroll Fossa Certificate


The user has an option to enroll a free Personal Certificate signed by Fossa Certificate Authority (CA). Fossa Guard extension and Fossa CA designed to make the enrollment simple and secure using Enrollment over Secure Transport (EST).
Once the user provides the name (the only mandatory parameter) he can start the procedure


The pair Private / Public Keys and Certificate Signing Request (CSR) are generated locally in the browser.

On the next step, the User should log in to Fossa Server (by clicking `Get Shared Secret from Fossa.me Server`) to get a shared secret which will be used to establish a TLS connection. Please note that you should log in to the Fossa Server using the same Gmail user to get the shared secret for the corresponding email address.


Using TLS connection Fossa Guard securely sends Certificate Request with Public Key inside and gets back Public Certificate signed by Fossa CA
On the final step, Fossa Guard asks the User to enter Passphrase to protect Private Key before storing it with Public Certificate in local Chrome extension storage.

That's all, Fossa Guard is ready for secure mailing via Gmail.


Enroll Self-signed Certificate


Self-signed Personal Certificate enrollment procedure has only the first and last steps from Fossa certificate enrollment.
On completion self-signed certificate is automatically added to the Personal, Trusted, and Recipient certificates list.

NOTE that self-signed certificates can't be verified checking Issuer certificates, so the user should find the trusted way to share it with his recipients.


4 comments:

  1. Is this working as of November 2020?. When I sign an email with FossaGuard Pro (trial) from Gmail web I get the signature not being validated in Thunderbird, but only displayed as an attachment as you can see in https://i.imgur.com/eh6NkCR.png.

    ReplyDelete
  2. Yes, it's working and new update with hidden subject feature is coming soon.
    When sending S/MIME signed only to Gmail account we put original message as an attachment due to the fact that Google mangles S/MIME signed only messages https://fossaguard.blogspot.com/2020/04/smime-signed-messages-support-in-gmail.html. Our approach makes Fossa extension able to check it and user also is able to access the original message from the attachment. https://fossaguard.blogspot.com/2020/06/fossa-guard-pro-10-smime-signed-support.html

    Indeed if you send S/MIME signed only message to non-Gmail email address Google servers don't mangle it and you can check it using Thunderbird's interface.

    ReplyDelete
  3. > When sending S/MIME signed only to Gmail account we put original message as an attachment due to the fact that Google mangles S/MIME signed only messages

    Does the previous mean that Thunderbird will be unable to validate these signatures?.

    ReplyDelete
    Replies
    1. Have you tried to open the attachment in Thunderbird? It should recognize the message.

      Delete