Showing results for 
Show  only  | Search instead for 
Did you mean: 
New member
Status: New idea

Currently getting e-mail S/MIME digital certificate is a nightmare even for advanced users.

I propose the creation of a simple interface accessible from the "Tools" menu on Thunderbird, something like "S/MIME Wizard".

These Wizard should request a secure URL and some authentication code (so that automated scanning tools of e-mail, browsers, anti-malware services don't mess up).
Should also allow to select any certificate details like say: RSA/ ECC key length strength (2048 RSA, 3072 RSA, 4096 RSA, 8192 RSA, ECC P-256, ECC P-384, ECC P-521), hash feature "SHA-256", "SHA-384", "SHA-512", the encryption together with that key "AES-128", "AES-192", "AES-256", and even maybe the type of signature: "RSASSA-PSS" or "RSASSA-PKCS1-v1_5".

Some of the values like "ESA/ ECC key", "HASH", "Type of signature" are used for the request of certificate to the certificate authority. And "Encryption", and (also) "Hash" are used to be associated from that moment to whatever account on thunderbird that certificate is attached, meaning that the user can change that later in the interface, but by default thunderbird would use those values.

The wizard should propose to update the thunderbird account with the associated e-mail if any exist, and if there is a current valid s/mime the certificate the wizard should note that and allow the user to decide if it keeps the current s/mime or if it updates to the new one (s)he just got.

The current process is too complicate: means people need to go in some browser, they may need to use special compatibility modes if they use Edge, they need to find out where the certificate store is on the browser, they need to find out where to get that from the certificate store, then find out how to export that to the computer, then they need to find out how to import into Thunderbird, meaning finding where they can find the certificate store on thunderbird, how to import and then how to associate to the account. I think most people will not want to do that unless they really need... and probably they need some expert to do it for them.

Of course, the Secure URL and authentication code would be provided by the S/MIME provider (e-mail digital certificates) after the e-mail loop verification, any paper work and calls (if) need, and payment (if required by the provider).

My hope is these way more people can use S/MIME to both authenticate themselves and protect (encryption) the contents of the messages with a true end-to-end solution, with third party verification.

Even better if Let's encrypt would be also integrated into the Wizard and allow users to get the S/MIME for free at least for e-mail address verification.

To help users get S/MIME certificate the Wizard could contain some always updated list of certificate authorities that provide a public accessible page where it is easy for the person to acquire the S/MIME certificates, of course: certificate authorities that support the Secure URL and Authentication Code method of the S/MIME Wizard.

Status changed to: New idea
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

New member

Running Thunderbird version 102.12.0 on Windows 10 Pro Ent. in IMAP configuration. I have a Digital Certificate (s/mime) from Sectigo same one I use in outlook or other email clients, when using this certificate from Thunderbird it shows as invalid when recipient receives it, because it is showing that Thunderbird has altered the message.  Read this was a an issue on older version of Thunderbird. Has anyone else experienced this and is there a fix?