Stuart, I am not an expert in that area, but I've been reorganizing some of the support articles and offer the following for further reading: https://support.mozilla.org/en-US/kb/configuration-options-security https://support.mozilla.org/en-US/kb/configuring-certificates

If those don't help, come back

Hi Duggabe, Thanks for the reply (and for your work on Mozilla). Unfortunately no, those links didn't really help. If I knew what I was trying to do, they would help me to do it... but I haven't got to that point yet!

If you or anyone else can help further, that would be great.

Thanks. Stuart.

Stuart,

I'm confused too ;)

Mark this as 'not helping'. Then if you don't get another answer soon, you might request that it be 'elevated'.

In case it's useful to someone else... this blog post (http://iqsecur.blogspot.co.uk/2012/06/complete-guide-to-encrypting-and.html) was really useful!

Stuart8, good find, that article.

I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.

Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.

Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.

Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.

I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.

Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )

In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-(