Alice & Bob
    Identity CA
    MTA Identity
    MTA Transport

Identity Set-Up and Key Management

Identity Management is a crucial part of the system and the PEE protocol. An "identity" is basically the public key of a particular mail address (or account) signed by a certificate authority. An account should have no more than one valid identity at a time and of course only the account holder must be able to request such a certificate. The client has therefore to authenticate against their MTA using appropriate means. The MTA reference implementation uses client certificates to authenticate its users, however this is not part of the protocol itself. This explains why the PEE-Mail client asks its users to go through the process of certificate generation twice. The following steps need to be done to get a new identity set up:

  1. The client software prompts the user to manually collect random numbers (through mouse movements).
  2. The client generates an asymmetric key-pair.
  3. The client generates a CSR (certificate signing request).
  4. The client requests a TOTP (a time-based one-time password) from its associated MTA.
  5. If the client has got a previous certificate from a different CA, it needs to revoke it first.
  6. The CSR and the TOTP get sent to the selected CA to request an identity certificate.
  7. The CA validates against the MTA if the request is authorised using the TOTP.
  8. If the CA holds a previous certificate for this account, it will revoke it.
  9. The CA issues a new identity certificate and returns it to the caller.
  10. The client uploads the new identity certificate to their MTA and stores all the data in its local key-store.
Identity Set-up Process
Identity Set-up Process
As certificates have only a limited validity period, they need to be re-generated from time to time. The software has to manage all those certificates and to pick the correct ones for the purpose, e.g. validating a signature on a message, etc..
  • CA Certificate Authority
  • CSR Certificate Signing Request
  • MTA Mail Transfer Agent
  • TOTP Time-based One-Time Password