1. CUHK Signed Messages

1. How do we verify e-mails that claimed to be digitally signed by CUHK users?
2. I'm not a CUHK user. How can I send encrypted e-mails to CUHK members?
3. I've received a CUHK e-mail with smime.p7s attachment and it said "This is an SMIME signed message". What does it mean?
4. How do I recognize signed/encrypted messages in my e-mail applications? Do I have to check the identity of emails sent by CU every time?
5. Can I encrypt/decrypt e-mail in webmail?
   

2. CU Link and Private Key

1. When should I put my private key on CU Link?
2. Encrypting and decrypting e-mail is slow with CU Link, why?
3. What if the private key is compromised?
4. What if the private key is lost?

3. Others

1. Why face-to-face verification is required during the certificate application process?
2. Should I delete the expired certificates from my browsers/e-mail programs?
3. How to check whether it is a genuine CUHK webpage by digital certificate?

1a. How do we verify e-mails that are claimed to be digitally signed by CUHK users?

To verify e-mails that are claimed to be digitally signed by CUHK users, you need to install the CUHK Root CA Certificate into your Internet browsers and e-mail applications. By installing the CUHK Root CA Certificate, all digital certificates issued by CUHK CA will be 'trusted' automatically. So it is very important to verify that the root certificate you are installing is genuine, not a fake root certificate generated by someone with malicious intention.

Please visit the following pages for details:
- Steps for Internet Explorer, Outlook 2002/2003, and Outlook Express 6 Users
http://www.cuhk.edu.hk/ca/installroot_ie.htm
- Steps for Netscape 7.x Users
http://www.cuhk.edu.hk/ca/installroot_ns.htm

top

1b. Im not a CUHK user. How can I send encrypted e-mails to CUHK members?

To send encrypted e-mails to CUHK members, in your e-mail programme, you must

(1) Install the CUHK Root CA Certificate

By installing the CUHK Root CA Certificate, all digital certificates issued by CUHK CA will be 'trusted' automatically.

Steps for Internet Explorer, Outlook 2002/2003, and Outlook Express 6 Users
http://www.cuhk.edu.hk/ca/installroot_ie.htm
Steps for Netscape 7.x Users
http://www.cuhk.edu.hk/ca/installroot_ns.htm

(2) Setup CUHK LDAP Server

This will let you lookup your target recipients' CUHK certificates on the CUHK LDAP server.
Steps for Outlook Express 6 Users
http://www.cuhk.edu.hk/ca/setupldap_oute.htm
Steps for Outlook 2002/2003 Users
http://www.cuhk.edu.hk/ca/setupldap_outlook.htm
Steps for Netscape 7.x Users
http://www.cuhk.edu.hk/ca/setupldap_nsmail.htm

After the above setup, you can now send encrypted e-mails to CUHK members.

top

1c. I've received a CUHK e-mail with smime.p7s attachment and it said "This is an SMIME signed message". What does it mean?

This means that it is a digitally signed message. You should open the digital certificate to check the identity of the sender. To improve security, all notifications that sent through the following ITSC systems will be signed with CUHK CA Certificates starting from.

1. Jun 23 - ITSC Electronic HelpDesk (cumassmailing@cuhk.edu.hk)
2. Jul 7 - ITSC Accounts Information Management System (account-help@cuhk.edu.hk)
3. Jul 7 - ITSC Abnormal Network Traffic Alert System (resnet-help@cuhk.edu.hk)
4. Jul 14 - CU Mass Mailings (cumassmailing@cuhk.edu.hk)

You are strongly advised to install the CUHK Root CA Certificate. This allows browsers and e-mail applications to trust certificates issued by CUHK CA automatically, which saves you a lot of time.

Please be aware that not all e-mail applications support this feature (e.g. Webmail). In such cases, you will receive emails with attachments such as smime.p7s (or p7m). Please read the following faq on how to vertify signed/encrypted messages in various e-mail applications.

top

1d. How to verify signed/encrypted messages in my e-mail applications?

If a digital signature can be verified, you can be sure about the sender's identity, and that the e-mail has not been tampered with during transmission. However, some e-mail applications do not support digital signature verification. In those systems, you will find an attachment named "smime.p7s" in the e-mail. Webmail systems, in general, lack digital signature verification support.

Below are e-mail applications that support digital signature verification.
a . Outlook/Outlook Express
b. ThunderBird
c. Eudora

For more convenient access to CUHK webpages and e-mails, you are strongly advised to install CUHK Root CA Certificate into you Internet browsers and e-mail applications. With the installation, all digital certificates issued by CUHK CA will be trusted automatically.

top

1e. Can I encrypt/decrypt e-mail in webmail?

No. At present, most of the webmail services do not support secure e-mail.

top

2a. When should I put my private key on CU Link?

If you want to use your private key on public PCs, we strongly recommend you not to install the private key there. Instead, put your private key on your CU Link. You can then send/read secure e-mail on those PCs while your private key will never leave your CU Link.

The PCs must have smart reader and appropriate software installed.

top

2b. Encrypting and decrypting e-mail is slow with CU Link, why?

Since the computing power of a smart card is much less than that of a desktop Pentium PC, it will take much longer for CU Link to encrypt or decrypt a e-mail. The time taken, however, is independent of the message size.

top

2c. What if the private key is compromised?

If your private key is compromised, you should:

1. Stop using the old private key to sign message;
2. Fill-in one of the following forms and contact us immediately to revoke your private key:
   Client Certificate Revocation Form, or
   Server Certificate Revocation Form, or
   Object Signing Certificate Revocation Form;
3. Contact people who will send encrypted messages to you to stop using your old public key.
   

top

2d. What if the private key is lost?

There is no way to recover your private key from either your Digital Certificate or your public key. That is why private key is so important that you must take precautions against losing it accidentally or due to hard disk corruption, virus infection, etc.

If you lose your private key, you cannot sign digital signature, nor read messages encrypted with your public key.

If you selected the Basic (Default) Option during certificate application, your private key was generated and backed up by ITSC. Please contact us at https://helpdesk.itsc.cuhk.edu.hk/group/ca-help to recover your private key.

top

3a. Why face-to-face verification is required during the certificate application process?

If you are applying for a digital certificate for the first time, the application process could not be completed entirely on-line. Although you already authenticated with your Computing ID and CWEM password during the first part of the on-line application process, if we issue the certificate right away, the security level of that certificate will be decreased to the same level as CWEM password.

Once you got a digital certificate, any subsequent secure verification could be done on-line. For example, you can complete certificate renewal and server certificate application completely on-line.

top

3b. Should I delete the expired certificates from my browsers/e-mail programs?

Your expired certificates and the corresponding private keys will still be useful for decrypting old e-mail messages, which were encrypted by those expired certificates. So you should not delete any expired certificates. Actually you should backup all the certificates so that you can still access old encrypted messages in case your PC crashes.

top

3c. How to check whether it is a genuine CUHK webpage by digital certificate?

In our webpages, digital certificates is applied when

1. collecting your CWEM login information, e.g. CUHK Webmail System
2. requestng your personal information like bank account, e.g. CUHK e-Payment System

These websites have also adopted Secure Sockets Layer (SSL) 128-bit encryption for data transfer to ensure a secure flow of information. That is, your entered information is changed to unreadable code before transmission, and only authorized receivers can unlock the encryption to view your information.

By the following steps to check whether a webpage uses the genuine CUHK digital certificate issued by CUHK Root Certification Authority (CA) or Hongkong Post e-Cert.

A. Check if the Lock Icon appears next the address bar.
B. For advance option, the following can be checked.
1. Check the Certificate Serial Number/ Thumbprint of the Certificate,
2. compare them with Hongkong Post or CUHK Root CA.

A. Locate a lock icon next to the adress bar of your internet browser. This indicates the website is encrypted. Click once and you can find the general informaiton about this Certificate.

B1. Click "view certificates " for more information about the certificate.

B2. Click on the “details” tab in the above certificate window and compare them with Hongkong Post e-Cert or CUHK Root CA.

CUHK Root CA Go to CUHK Root CA webpage to check whether the thumbprint of the site is the same as the certificate fingerprint of the genuine CUHK Root CA certificate	Hongkong Post CA Go to Hongkong Post e-Cert, enter the Server name to check whether the Serial Number of the site is the same as Serial Number of the genuine Hongkong Post e-Cert CA.

If they are the same, the site you checked has a genuine certificate issued by CUHK Root CA or Hongkong Post e-Cert..

top