Well I’ve been using OpenPGP for a while with Enigmail on Thunderbird and also with OpenPGP and Mac Mail, they actually work quite well and the nice thing is all the private keys are self-created, so you don’t have to worry about some certificate authority having access to all your information via the private keys they create.
The big problem is that iOS doesn’t support PGP and the mail solutions are at best hard (that is Apple doesn’t allow competitors to Mail, so you have to constantly copy and paste from ipgmail).
But S/Mime is supported natively, you just need your .p12 file and you can use Mail. The big security hole here is that you normally get your certificates from a Certificate Authority and who knows what they are doing with all those private keys. So the best answer seems to be private keys that you generate yourself. This is actually pretty easy. The big thing you give up, like OpenPGP, is that it is peer to peer so you have to know who you are talking to. To me this is actually a feature as it prevents the CA from getting corrupted or doing bad things.
Here is how to do it (with only open source software as again, you don’t want some private code seeing your keys):
Getting an SMIME certificate – MozillaZine Knowledge Base
You may use a personally self-signed certificate in Thunderbird. However, since these certificates are not signed by an approved certificate authority, the certificate will not be trusted by other computers or people unless they add the self-signed certificate to their list of certificate authorities. Personally self-signed certificates are generally only useful for testing or for exchanging information with people you already know and trust.
It’s possible to generate self-signed certificates using the Firefox Add-on Key Manager:
Tools – Key Manager Toolbox – Key Manager – Your Keys – Generate SelfSign Cert and insert you data. On tab Advanced – Standard X.509 Extensions check “Is CA?”.
Another option for those who have sufficient understanding of certificate structures is using the command line OpenSSL.
Special considerations for installing personally self-signed certificates can be found in the Installing an SMIME certificate article
[On Mac OS X] You can create your own self-signed certificate using the Keychain Access application’s Certificate Assistant. To export your certificate as a PCKS12 file for import into Thunderbird, click “My Certificates” in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select “File -> Export”. You will be asked for a password to protect this file. This is the password you will require when importing the certificate into the “Your Certificates” tab of Thunderbird after entering your master password.
To export your certificate as a “.cer” file for use as a certificate authority, select “Certificates” in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select “File -> Export”. Be sure “.cer” is selected as the appropriate file type in the save dialog.
The process to install into Thunderbird is pretty complicated. here is what you need to do:
- Create a master password for Thunderbird. You need this so that people can’t see your private key. This is in Firefox/Preferences/Privacy/Passwords/Set Master Password
- Install the .p12 file you created above at Thunderbird/Preferences/Advanced/Certificates/Your Certificates/Import
Then you have to install the S/Mime on your IoS device and everytime you see someone who has one, you then have to manually install their certificate. See Feinstruktur.