Why do email Digital Signatures have to be such a pain in the ass?

I spent the better part of my day trying to get Thawte personal email digital signatures to work with GMail and Lotus Notes 8.5. Why does it need to be this hard?

Yesterday I finally had a need to get a personal digital certificate and send somebody a digitally signed email message -- I'm working remotely on a project for one of my customers and I needed VPN access into their network. To get the necessary permissions and access, I had to send a digitally signed email to their head of IT security. The head of IT security directed me to Thawte's freemail certificate issuing authority web site, which generates certificates for several different web browsers and email clients that you can import and use to digitally sign your emails. I figured "ok, no problem".

Click on the "Read the rest of this entry" link below for more.

The actual certificate registration process itself is fairly simple. You sign up into Thawte's web site and fill out a bunch of personal information, and the site sends you an email with a link which it uses for delivery verification. After clicking on the link, you can then request a X.509 format public key certificate for "Mozilla Firefox/Thunderbird/Netscape Communicator", "Internet Explorer/Outlook/Outlook Express", "Lotus Notes R5", "OperaSoftware Browser" or "C2Net SafePassage Web Proxy".

Being that I am a Lotus Notes user, I chose Lotus Notes R5, assuming that certificate would still work in R8. So I hit the request button.

Unfortunately, if you are running Lotus Notes R8 and are using Firefox as your browser to follow external links in your emails, Thawte gives you a Sorry Dave, I Can't Do That message. Kind Regards? Is that the South African way of saying go stuff yourself? Okay, so I figured maybe it needs to import the cert into my browser, and then Notes will handle it automagically. So I requested a Mozilla certificate, which took a few minutes for it to generate, which I was then able to download using Windows XP and automatically imported into my browser.

When I attempted to digitally sign an email message using Lotus Notes, it told me I had no certificates. Suffice to say if you do not have a Lotus Notes-compatible certificate and you don't import it into the software directly, digital signatures with Notes do not work. DOH! Given that Thawte wasn't going to issue me one for Notes, I had to take another route. I decided I was going to use my personal email account running on GMail instead. Surely, the mighty Google had figured out how to do this, right?

In a word, uh, no. As It turns out, GMail has no built-in automagical provisions for digital signing using an X.509 certificate. There's no settings area where you can select "Import Digital Certificate" or "Generate Digital Certificate from Google's cert authority" or anything like that. To use digital signatures with GMail, you actually have to download a 3rd-party Firefox extension that supports S/MIME, which will insert your Thawte/Firefox compatible certificate into an email using GMail. Got it? Okay, great.

Related: Getting a Thawte Email Certificate (heypete.com)

But I wasn't going to mess with squirrely Firefox extensions and GMail using my work Windows XP laptop, which is an acropolis of business-critical software that I don't want to fool around with that uses finely tuned java/web apps which require specific configurations in order to run correctly. I had just built a brand-new Windows 7 machine and a bunch of Windows 7 VMs that I could blow up if I wanted. So I installed Firefox 3.5 on Windows 7, and I installed the S/MIME plugin. Then I retrieved my certificate from the Thawte website.

I quickly found out, however, that this doesn't work. You see, when you run Firefox 3.5 in Windows 7, by default it runs in Windows Vista compatibility mode and the MIME behavior is different and you can't pick up your certificate from Thawte from their web site and automatically import it into Firefox. You have to right-click on the Firefox icon, select Properties, then select Compatibility and then Windows XP Service Pack 3. Then you can send an email using the digital signing plugin for GMail.

You'll notice that at the bottom of the email, there's an smime.p7s attachment which is the actual digital signature. But this digital signature is "Untrusted" because I didn't join the "Web of Trust" for Thawte and didn't get a bunch of people to verify I was a real human being.

There needs to be a better and easier way to get digital signatures into emails. For starters, all the mainstream web email services, be it GMail, Microsoft Hotmail, AOL Mail or Yahoo! Mail need to integrate their own Certificate Authorities into their web sites or at least form partnerships with existing Certificate Authorities so that with a few clicks, you've got a certificate issued and running in your Web Mail.

You shouldn't need some stupid browser plug-in with some arcane web retrieval mechanism which breaks on modern versions of Windows to do this. If a "Web of trust" is required to further verify that you are a real person and not some random spammer, then I can think of no better mechanism than using social networking sites for this, such as your existing LinkedIn contacts or your FaceBook friends network that will validate a trust ring for email certificates -- the people who ALREADY trust you as a contact to begin with.

Are you frustrated with the current state of digital signing mechanisms? Talk Back and Let Me Know.