Mozilla/MachV: Mail: Security	UI Specification
Encryption and Signing	Last Modification:

Author: Jennifer Glick  Creation Date: 3 October 2001	Status: Mostly Complete
Quicklinks	Feature Team Engineering:  Bob Lord, Terry Hayes, Stephane Saux, David Drinan PM:   QA:  Antonio Lam  Docs:  Sean Cotter  UE  Jennifer Glick

** Note:  Not all security related icons in this spec are final. Some are temporary placeholders until final icons are completed by a graphic artist.**

Open Issues

1. Section A, item 1. Mail Account Settings. Security Panel. Sean Cotter to determine wording for "use encryption when sending messages:"  "Never" (or "No encryption") option. It was thought that "Never" might be too harsh. (Maybe descriptive text after "Never"?).
2. Section B, item 4. Wording for "Feature not yet setup" dialog. Sean Cotter.
3. Bug 104502 - Security related Icons for Mail.
4. Bug 144402 - Security icons in compose window should show what's possible.
5. Bug 144397 - Display Send Button with key icon when encryption is enabled
   

Design Overview

Summary

The S/MIME features of Mail enhance the security of your emails. Specifically, these features:

• Ensure the privacy of your email while it travels from your machine to your recipient's machine using high-grade encryption.
• Enable you to identify yourself and others in email messages by way of digital signatures.
• Ensure that no one can modify the email while it travels from your machine to your recipient's machine.

To activate these security features, you need to obtain a digital certificate. Certificates are issued by independent certification authorities (CAs). 

The technology works as follows: a sender encrypts an email using the recipient's certificate, and signs it using his/her own private key. The recipient verifies the signature and the integrity of the message using the sender's certificate, and decrypts it using his private key.

In order to send encrypted emails, you must have certificates for each of the recipients.

Goals

Make the signing and encryption security features easily accessible to users who want to use mail security features, while making them non-intrusive for those users less interested in these features.

• Global settings for encryption and signing.
• Per message settings for encryption and signing.
• Provide feedback when composing a mail message regarding the status of encryption and signing.
• Provide feedback when reading a message regarding the encryption and/or signing of the message.

Target User

Users in a corporate environment where security settings maybe set by a system administrator, as well as individual users who are concerned about security issues.

User Tasks

Basic Tasks

Global settings for encryption and signing. Per message settings for encryption and signing

Intermediate Tasks

Getting a certificate Using different certificates for different accounts Selecting an LDAP directory per account

Advanced Tasks

Access to:

Button	Menu	Account Settings
Mail Compose: Security dropdown menu button.	Mail Compose: Options: Security.  Per message encryption and signing options.	Security Panel

Design Details

In order to send digitally signed emails, you must have your own Digital Security ID (digital signature, public key, private key).  In order to send encrypted emails, you must have certificates (digital signature, public key) for each of the recipients.

A. Mail and News Account Settings

Security features are per account. A user can setup different accounts to use different certificates. For example, a user might use a corporate certificate for their work account and a personal certificate for a personal account, and maybe no certificate for a third account.

The user's security settings for a particular account determines the default security behavior when composing and sending messages. Users can change security settings on a per message basis.

1. Mail - Security Panel

Local Certificate Database is currently searched for certificates. Potential future feature, allow users to choose LDAP directories to search for certificates.

1a. Signing

• "Digitally sign messages" is off by default.
• If digitally sign is disabled, no icon is displayed in the status bar in Mail Compose windows.
• If digitally sign is enabled, a "signed" icon (TBD) is displayed in the status bar in Mail Compose windows.

1b. Encryption

• Default for encryption is "Never".  No encryption icon is displayed in the status bar of Mail Compose windows if encryption is set to "Never" for the selected account.
• When "If possible" encryption is enabled, an "encryption" icon is displayed in the status bar of Mail Compose windows. An intact encryption icon if the message can be sent encrypted and a broken encryption icon if the message can not be sent encrypted.
• With "If possible" encryption, the message can still be Sent if certificates for all recipients are not available.
• When "Always" encryption is enabled, an "encryption" icon is displayed in the status bar of Mail Compose windows. An intact encryption icon if the message can be sent encrypted and a broken encryption icon if the message can not be sent encrypted. With "Always" encryption, the messages can NOT be Sent if certificates for all recipients are not available.

1c. Certificates

• Per account certificate.
• Separate certificate can be used for Signing vs. Encryption.
• "Select" opens the "Select Certificate" dialog.

2. Newsgroups - Security Panel

Encryption is not available for newsgroup accounts.

3. Select Certificate Dialog

• Manage Certificates - opens the "Certificate Manager" dialog. Which is also accessible from Preferences: Privacy & Security: Certificates panel. Provide mental connection for users how all the security pieces fit together.
• Get Certificate - Button would open a help page in a browser window which would explain to users how to get a certificate and provide helpful links.
• Note: Would be useful if Preferences: Privacy & Security: Certificates panel also had a button which provides access the Mail/Newsgroup security items.

B. Mail Compose: Options: Security Menu and Toolbar Button Menu

Users can set up global security settings per account in the Mail & Newsgroups Account Settings dialogs. They can also use the Options: Security menu or the Toolbar Security dropdown button, to change security settings on a per message basis. Changes are reflected visually in the compose window as appropriate (Send icon, status bar icon, Security icon). 

Defaults in the menus are set based on the user's security settings for the account. If the user changes these settings using the Options menu or Toolbar dropdown button, the changes only apply to the current message. Once the user enables a particular security feature for a particular message, the window should behave as appropriate as outlined in the rest of this spec.

1. Options Security Menu

2. Toolbar Button/Menu

The Message Compose window toolbar contains a security combo menu/button. Clicking the button activates the default action, opening the "Message Security" dialog (see below). Clicking on the arrow to the right of the button displays a menu.  

The Toolbar security icon changes to show the availability of certificates for recipients of the current message (described later in this spec) and hence, if the message can be sent encrypted or not.   

Whether options can be unchecked when the global account setting is set to "Always" will be controlled by an
"Allow Always Encrypt Override" preference which will not be exposed in the preferences UI. The hidden preference is intended to be controlled using Mission Control Desktop (MCD). The hidden preference will not apply in the "Never" or "When Possible" cases. 

3. Message Security Dialog

Clicking directly on the Security Toolbar button, or selecting "Message Security" from the Options: Security menu or the Toolbar Security dropdown button, opens the "Message Security" dialog.

This dialog displays security info regarding the current message. Recipient's certificate status is listed. This provides the user with status regarding the security of the message (if the message can be sent encrypted) and certificates of individual users.

Note: This is a mock up only. Security team to decide what columns are appropriate to display.

4. Selecting a Security Feature Not Yet Setup

If the user selects a security feature from the menu and they have not yet defined a valid certificate in their security account settings, a dialog opens. "You need to setup a personal certificate before you can use this security feature. Would you like to find out how to do this now?" (Wording TBD, Sean Cotter). If they select "Yes", a browser window gets focus and displays a help page which explains how to setup and use the security features.

C. Composing a New Mail Message

Certificates for recipients are retrieved during auto-complete. They can be associated with entries in the user's local address books, an LDAP directory, or a certificate database.

As the email addresses of recipients are added, the client searches for valid certificates.  If valid certificates are available for all recipients, the security icon displays an "intact certificate" (TBD) in the top right corner. If there is a problem with at least one of the recipients certificates, a red "X" is displayed. A problem could mean either a certificate for a recipient is not available, or an existing certificate is expired. Clicking on the Security icon opens the "Message Security" dialog (above) which provides additional information about the recipient's certificates and where the problem has occurred.

If the client has found a certificate for all the current recipients, the "Send" button is modified to incorporate a "will be encrypted" icon (TBD).  

Similarly, if a valid certificate for all the current addressees is not available, a "broken encryption" icon (TBD) is displayed on the "Send" button, indicating to the user that the client wants to send encrypted, but can't.

Different possible scenarios are illustrated below.

1. Encryption is not Enabled in Account Settings - "Never"

User has account settings set for no encryption and no signing. The Security icon is available in the Toolbar (and the Options menu). The feature is accessible and discoverable for users interested in the feature, yet not distracting for users who do not want to use the feature.

• No icon on Security button. 
• No icon on Send button. 
• No icons in the status bar.

2. Send Encrypted - "Always Encryption" - Certs for All Recipients Avail

User has account settings set to "Always Encrypt". Message cannot be sent unless certificates for all recipients are available. Certs for all users Are available.

• Security toolbar icon indicates that a valid certificate for each recipient was found. 
• Status bar shows "encryption" icon indicating message will be sent encrypted.
• The Send button is enabled and contains the "encryption" icon. The message will be sent encrypted.
• Status bar shows the "signed" icon if signing is enabled and no icon if signing is not enabled.

3. Send Encrypted - "Always Encryption" - Certs for Some Recipients & Not for Others

User has account settings set to "Always Encrypt". Message cannot be sent unless certificates for all recipients are available. A valid certificate for some recipients is found, an invalid certificate or no certificate is found for some recipients. 

• The toolbar Security icon indicates that valid certificates were Not found for all recipients. 
• Status bar shows "broken encryption" icon indicating message won't be sent encrypted.
• The Send button is disabled and contains the "broken encryption" icon. The message cannot be sent.
• Status bar shows the "signed" icon if signing is enabled and no icon if signing is not enabled.
• User can click on the Security button to open the "Message Security" dialog to get more details regarding the message.
• Tooltip when hovering over disabled "Send" button (Sean Cotter to provide).

4. Send Encrypted - "If Possible" Encryption - Certs for All Recipients

User has account settings set to "Encrypt if possible". Message can still be sent if certificates for all recipients are not  available. A valid certificate for all recipients is available.

• Security toolbar button indicates that a valid certificate was found for all users. 
• Status bar shows the "encryption" icon indicating the message will be sent encrypted.
• The Send button is enabled and contains the "encryption" icon. The message can be sent and will be sent encrypted.
• Status bar shows the "signed" icon if signing is enabled and no icon if signing is not enabled.

5. Send Encrypted - "If Possible" Encryption - Certs for Some Recipients & Not for Others 

User has account settings set to "Encrypt if possible". Message can still be sent if certificates for all recipients are not  available. A valid certificate for some recipients is found, an invalid certificate or no certificate is found for some recipients. 

• Security toolbar icon indicates that a valid certificate was Not found for all recipients. User can click on security button to get details. 
• Status bar shows the "broken encryption" icon indicating the message will not be sent encrypted
• The Send button displays a "broken encryption" icon and the button is enabled. The message can be Sent, but will not be sent encrypted.
• Status bar shows the "signed" icon if signing is enabled and no icon if signing is not enabled.

6. Signing a Message

User has account settings set to enable digital signing only.  

• The Send button does not change. 
• The "signing" icon appears in the status bar, indicating signing is enabled.
• The encryption icon in the status bar may or may not shown encryption enabled depending on current situation (as described above).

D. Mail Compose: Status Bar

1. Status Bar

The status bar is used to indicate whether a message will be digitally signed and/or encrypted when sent.

When digitally sign is enabled, the "signed" icon appears in the status bar. When digitally sign is not enabled, no icon appears in the status bar.

An "encryption" icon appears when the user has requested a message be sent encrypted and the message can be sent encrypted because the necessary recipient certificates are all available. A "broken encryption" icon appears when the user has requested a message be sent encrypted but the message can not be sent encrypted because the necessary recipient certificates are not all available. No encryption certificate is shown if encryption is set to "Never/None" for this account or message.

2. Tooltips (some suggestions, tech writer to finalize)

• Signed Icon - "Message will be digitally signed when sent."
• Encryption Icon "Message will be encrypted when sent."
• No Encryption Icon - "Message can not be encrypted."

E. Reading a Mail Message

Indicate to recipient if a received message was sent signed and/or encrypted. 

When you receive a digitally signed message, the sender's certificate is added to your address book, if it is not already there.

**Note: Icons would probably need to be larger.**

1. Without An Attachment

Feedback in envelope area. Encryption and/or signed icons displayed as appropriate (intacted or broken).

2. With An Attachment

Feedback in envelope area. Encryption and/or signed icons displayed as appropriate (intacted or broken).

3. Tooltips (Sean Cotter)

• Encryption Icon - "This message was encrypted when it was sent."
• Signed Icon - "This message was digitally signed by Jennifer Glick on Thu Oct 18 16:52:01 2001."
• Broken Signed - TBD

F. Forwarding and Replying to Messages

This section not yet discussed.

Only forward as attachment allowed?

Replying to and forwarding emails will cause the compose window to start in the most restrictive state as specified by either the replied-to or forwarded email or the encrypt preference.

So if the replied-to or forwarded email was encrypted, then Option->security->"Always encrypt" is checked. If it wasn't encrypted, then the setting is governed by the encrypt preference. 

There is value in knowing whether the original message was signed, but it can only be done by keeping the original message intact together with it's signature. This can only be accomplished if the original message is delivered as an attachment. However, users may wish to edit the message before sending it, which requires the message to be inline. If the original message is inline, no statement can be made as to whether it was originally signed.

Issues

1. If you have certs for some recipients but not for others, no one can receive the message encrypted? Or just recipients without certs will receive no encryption? Current design is all or nothing.
2. Should Mail Security Prefs be located with Mail & Newsgroups or Privacy & Security section of preferences? Per Account in Mail and News Account Settings.
3. What do we do if the user has "Always Encrypt" selected and certs for one or more users are not available? Do we disable the "Send" button? Let user click "Send" and display a dialog? If user has encryption set to If Possible, Send button with open Lock is enabled. If user has encryption set to Always, Send button with open Lock is disabled.
4. If a message is encrypted it is also signed? No. A message can be just signed or just encrypted or both.
5. Does the Send button also need a "signed" version as well? If so, having "encrypted" and "signed" on
   top of the Send button could be too crowded. Only encryption icon will show on Send button. Signed icon will be in status bar is enabled.
6. Conflicts with SSL lock icon.  SSL will keep the lock icon. Encryption will use another icon, maybe a key? Graphic artist to determine. Even though they both represent the message will be sent securely, they are each controlled by different settings and are really separate features. 12/7/01.
7. Account Settings. Change panel name from "Secure Messages" to "Security" per Sean Cotter's request. 12/7/01.
8. Account Settings. Remove checkbox to enable a different certificate for Encyption (vs Signing). For now, users must select two certs. Maybe in the future, allow them to use the same cert. 12/7/01.
9. Reading a message. Move "Attachments" label over list box to avoid confusion with it appearing above security icons.
10. Conflicts with SSL lock icon. Since SSL is already using a lock icon in the Browser and Mail, it was felt that a different icon should be used to indicate encryption. Yes, they both represent security, but are in reality control by different users settings and distinct separate features. SSL will keep the lock icon. Encryption will use another icon, maybe a key? Graphic artist to determine. 12/7/01. 
11. Account Settings. Change panel name from "Secure Messages" to "Security" per Sean Cotter's request. 12/7/01. 
12. Account Settings. Remove checkbox to enable a different certificate for Encyption (vs Signing). For now, users must select two certs. Maybe in the future, allow them to use the same cert. 12/7/01. 
13. Account Setings: Remove address book/ldap settings for now. Currently the Local Certificate Database searched for certificates. Bring back as appropriate in the future. 12/7/01. 
14. Reading a message. Move "Attachments" label over list box to avoid confusion with it appearing above security icons. 12/7/01. 
15. Using icons for cert status in the addressing area raised concerns regarding UI clutter and performance hit.
    Decided to go with Security toolbar button which would give encryption/cert status instead. 12/7/01.