What happens when mail encryption keys expire?
I'm interested in sending/receiving mails encrypted/signed in both directions. Am considering all options, including using PGP/GPG as well as being my own CA and distributing keys (private and public) to my friends and family.
Am tending towards being my own CA as many of my contacts are not savvy enough to install PGP/GPG but most mail clients already support the P12 format natively (including Mail.app). This will make it easy for them...
As I understand it, mails are stored encrypted even after it is decrypted for viewing the first time, so using the key is necessary to open it. My question really is what happens after keys expire? Will I be able to read my old mails? I have to consider other mail clients on other platforms, so the solutions has to be independent of specific mail clients...
Thanks in advance...
Am tending towards being my own CA as many of my contacts are not savvy enough to install PGP/GPG but most mail clients already support the P12 format natively (including Mail.app). This will make it easy for them...
As I understand it, mails are stored encrypted even after it is decrypted for viewing the first time, so using the key is necessary to open it. My question really is what happens after keys expire? Will I be able to read my old mails? I have to consider other mail clients on other platforms, so the solutions has to be independent of specific mail clients...
Thanks in advance...
Comments
For decrypting the certificate (and the corresponding private key) just needs to be available (i. e. readable in the certificate store -- whatever kind that would be on any platform). A good mail programm will indicate that the vertificate was valid at the point in time when you did get the mail. So there are only two issues you need to watch out for:
- never delete any old/expired certificate (and/or corresponding private key)
- when moving mail from one machine to another (or upgrading the OS) be sure to preserve certificates and the corresponding private keys(including any expired ones)
On a side-note: just get PGP it even comes with a fantastic manual!
Originally posted by BNOYHTUAWB
A good mail programm will indicate that the vertificate was valid at the point in time when you did get the mail.
Ah hah! I didn't think of that... That would be good. So, a good mail client compares the timestamp of the mail before decrypting it. Old mails get decrypted with old keys, while new ones get decrypted with new keys. I just have to ensure that I never lose old keys. Too easy!
What are "good mail clients" in this regard? Do Mail.app and Thunderbird (regardless of platform) do this time check?
Originally posted by drumsticks
Ah hah! I didn't think of that... That would be good. So, a good mail client compares the timestamp of the mail before decrypting it. Old mails get decrypted with old keys, while new ones get decrypted with new keys. I just have to ensure that I never lose old keys. Too easy!
What are "good mail clients" in this regard? Do Mail.app and Thunderbird (regardless of platform) do this time check?
Mozilla is mostly correct in these repects (and I guess that will make Thunderbird correct too). I do not know about Apple's Mail app, cos I did not (yet) use S/MIME certs with it (I'm back to using PGP, because it offers way more)!