Using the Mesh to secure email

S/MIME, OpenPGP and beyond

End-to-end email encryption has been available to expert users for over 25 years. But using end-to-end encrypted email has been a challenge to say the least. S/MIME requires the user to obtain a digital certificate from a Certificate Authority and renew it regularly. OpenPGP requires the user to learn an arcane set of instructions and lore.

Recently, applications such as Signal have proved that end-to-end encrypted messaging can be just as easy as using regular email. But there is a catch and it is a big one, each of the new 'easy to use' messaging systems introduced is a closed system with one set of services connecting users. Some of the systems are open source, you can set up your own network if you like but you won't have anyone to talk to.

Mesh/Mail is a Mesh application that makes use of S/MIME and OpenPGP to encrypt email end to end as easy as sending a regular email message. You don't need to change your email provider and if you install the mail encryption proxy, you can use virtually any email client produced in the last 20 years without modification.

This document describes the use of Mesh/Mail to create the credentials used to encrypt and sign email.

The mail encryption proxy which makes use of end-to-end email encryption transparent requires revision to make it compatible with the current version of the Mesh reference code. This will be made available at a later date.

Creating an email application profile

If the mail client is supported by the Mesh Reference Code, The client can be configured to use end-to-end encrypted email with the mail create command:

mail create

The meshman tool reads the email client configuration files, enumerates the accounts and creates a Mesh profile containing S/MIME and OpenPGP keys for each.

Currently a self signed S/MIME certificate is created. A future version of the tool will allow users to enroll for a free S/MIME certificate from Comodo Group Inc.:

mail create alice@example.net /ca=ca.example.com

Configuring an unsupported mail client

Currently, the only mail client supported by the reference library is Windows Live Mail which has since been replaced by Windows Mail. Enabling support for Outlook and Windows Mail is a high priority.

Support may be added for almost any email client however, provided that it supports configuration through a command line or shell interface of some sort.

To extract the users private key, we first generate a temporary password using the keygen command.

meshman keygen
RD5D5-MBOJ6-D6TEZ-CZMOY-OAU4I-NNX6V

We can then extract the private key encrypted under the temporary password which will be passed to the application we are to configure.

mail get alice@example.net /pass=RD5D5-MBOJ6-D6TEZ-CZMOY-OAU4I-NNX6V

More information on creating scripts for the shells supported on various platforms can be found in the Platforms section of this guyide.