Will S/MIME keep my email private even from me?
August 13, 2009 4:59 AM Subscribe

What happens to an S/MIME-encrypted email message when the certificate used to encrypt it expires?

If, for example, I've got a bunch of S/MIME encrypted emails stored in a Gmail account that I use via Thunderbird and IMAP, and I have a certificate installed in Thunderbird which expires - do all those messages suddenly become unreadable?

Also: if I install an updated certificate, what happens when somebody I haven't heard from for a while sends me a mail encrypted using the public key from my old (but still not yet expired) certificate?

posted by flabdablet to computers & internet (5 comments total)

As far as I know, it won't suddenly become unreadable: the encryption isn't time dependent. What should happen is that the mail client should warn you that the certificate has expired or ask you for confirmation to open it. As long you don't delete the old certificate you should still be able to read the mails encrypted with it whether it's expired or not. (Not having used Thunderbird I can't confirm precisely how it behaves).
posted by Electric Dragon at 5:51 AM on August 13

Any messages that an S/MIME client stores in their encrypted form will not be decryptable if the certificate/private key used for encryption has been deleted or otherwise not available.

http://en.wikipedia.org/wiki/S/MIME
posted by anti social order at 6:17 AM on August 13

There's nothing that makes your computer suddenly unable to use the big number to decrypt. The expiration date attached to it is an attempt to make sure that in 100 years, we don't have more keys than ever is useful; if the number is expired, then the program that uses it will just tell you that it shouldn't be used any more.
posted by cmiller at 6:47 AM on August 13

anti social order: Certificates expiring is not the same as the certificate being unavailable.

Try this: Set your computer's clock ten years forward. Visit a secure site. You'll get a certificate expiration warning, but you can easily continue through to the secure page.
posted by odinsdream at 7:04 AM on August 13

OK, thanks. So, if I'm understanding this properly:

If I get a new certificate issued for my own email address, it includes a new pair of encryption keys - key pairs are unique per certificate, not per owner;
When I get an updated certificate issued for my email address, my email client will not replace my old certificate, but will simply add the new one to its certificate collection;
I can continue to use old certificates to decrypt old emails, or even encrypt new ones, provided I click through a warning about using an expired certificate;
When backing up an mbox or maildir that's known to include S/MIME encrypted emails, it's vital to back up all the associated certificates as well.

My larger task here is writing up a short backgrounder and a step-by-step how-to for S/MIME encrypted email using Thunderbird and Thawte free personal email certificates. My audience is people with a business need for encrypted email but not much technical confidence. I just wanted to make sure I'm not going to steer anybody wrong.

I'm kicking myself for not having remembered odinsdream's clock foolery trick. Been using ntp for too long, I think :-)

Cheers.
posted by flabdablet at 5:07 PM on August 13

« Older Help me get a friend who has t... | I am traveling to Mexico with ... Newer »

You are not logged in, either login or create an account to post comments

Will S/MIME keep my email private even from me? August 13, 2009 4:59 AM Subscribe

Will S/MIME keep my email private even from me?
August 13, 2009 4:59 AM Subscribe