How does CSE EXACTLY work ?

Hi !

I never used CSE yet, however it looks interesting. It is also free, which makes it a good deal. (And of course in the long run, in case I will open an office, I might stick to your product using a non-free version…)


I would like to know the exact mechanism how CSE works regarding the exchange and creation of the certificates / keys especially. E.g. I write an email, what exactly happenes from the sending to the receiving of it ?
(In more detail than on your webpage here

Where can I get this info ?

Thank you,

P.S.: How does it exactly work, that someone unauthorised intercepting or receiving an email cannot read it or its attchments ?

If you are sending to someone who has a digital certificate: then the message is encrypted and digitally signed (noone can read it but the recipient and noone can modify it as recipient will know its modified)

If you are sending it to someone who hasn’t got a digital certificate: it has two modes… just sends it digitall signed, which means people can still intercept and read it, but they can’t modify the message. (eg: digitally signed)…or
in the 2nd mode where u can ask it to be encrypted: It uses our patent pending solution where we create a certificate for the recipient and the email is encrypted and digitally signed for the recipient (noone can read it but the recipient and noone can modify it as recipient will know its modified).

hope this simple explanation clarifies it for you.

Thank you for your response Melih:
However, we would be thankful for some precisement:
Therefore the specific hypothetical scenario:

User A has a mail address
User B, mail address

Lets assume User A wants to write a securely encrypted and digitally signed email to user B:
User A therefore has got a free digital certificate (private person) from COMODO, using CSE.
User A writes the E-Mail, adds userB as the recipient. Mail is encrypted and digitally signed by CSE using User B’s public key for encrypting the message to User B and then sent using Thunderbird.

Scenario All OK:
User B receives the encrypted and digitally signed message from user A (in Mozilla Thunderbird).
How does User B’s CSE know the “decryption” code for the message ?
Where is the decryption code stored ?
And how does User B’s CSE know that the message originates really from User A and not from somebody else ?( Especially if User B receives a digitally signed and encrypted message from User A for the first time)

And the final general question:
What encryption method is used ?

Sorry for the amount of questions, but we want to understand exactly what we might be using in future…
Thank you !

Identities are assured by the user of de facto industry standard PKI, with digital certificate and a trusted 3rd party (Comodo). For more info on PKI, please see here for more details:

E-mails are sent using S/MIME, please see here for more details:

Encryption is carried out using ‘public key encryption’ aka asymmetric encryption. For more information, please see here:

As Melih said there are a few scenarios.

  1. If A already has B’s digital certificate.
  2. When A doesn’t have B’s digital certificate.
    1. If A already has B’s digital certificate.
      In this case CSE simply uses S/MIME encryption and PKI above.
    1. If A already has B’s digital certificate.
      If A doesn’t already have B’s certificate, CSE has a few options for B to read this mail, all determined by A using our patent pending single user certificate system and our server. A sends the e-mail using this system, setting which options from the list below B can use to read it.

i) B must install CSE to read the mail. This is our recommend method and is fully secure.
ii) B can forward the mail to our web reader, and read the mail by supplying a password which A agreed with B in advance, e.g. by telephone or letter. Not as secure as i)
iii) B can forward the mail to our web reader but does not need to supply a password. Not as secure as ii)

As I said, A the sender decides which of the options are avaible to B. Hope this answers your questions.


Excellent, thank you !
Now I will study what you gave me …

I was going to try CSE a while ago (Months). But what put me off is, I think Comodo would be able to Decrypt my Emails.

As far as I’m aware, it would be almost the same as Two People (A & B) sending Secure Gmail’s to each other; accessing their Web Mail Page using https. (Staff at Google would be able to Decrypt my Emails.)

I think this could be the Second main reason why a lot of people simply don’t bother Encrypting. If a Company can easily Decrypt your Email, whether it is Comodo, Google, or your ISP who can Decrypt them, then why bother?

Is it possible to Encrypt Emails without a Digital Certificate from a Certificate Authority? (This would take the power away from Comodo, Google, or the ISP, and give it completely to the User.)

If this is feasible, would this be possible in CSE?

I don’t know much about Certificates, but how about CSE being able to generate randomized Self Signed Certificates so that the Emails can never be Decrypted by ANYONE but the User? (And the recipient of course.)

If you find it difficult to understand this Post, its because I’m talking about a Subject I am not familiar with.

Thanks. :-TU

Comodo does not read, cannot read your emails when you are using digital certificates. You own the your private key in your PC, Comodo has no access to it.


Thanks Melih! :-TU

I didn’t think that Comodo read the Emails (same for Google). I did think Comodo ‘could’ read the Emails (same for Google) if they wanted to though, because:

My feeling is that, in all of the scenarios, Comodo ‘could’ Decrypt the Email if they had access to it (even if it was Password Protected).


If a Lock Smith produces a Key (Private Key), they ‘could’ keep a Copy of that Key. :-\

If the User creates their own Key instead (out of Random Numbers), surely that would be much more Secure? ;D

Again, I am talking about a Subject I am not familiar with (Digital Certificates). I just wanted to put my point across, because there could be many in the same state of thought.


I’m not an expert either but AFAIK using CSE users already create their keys locally.

IIRC is it not as simple as using any number as only prime numbers could be used to generate a primary key.

I think what I am really trying to say, after reading ‘this’, is that I would like to Generate my own Public & Private Key’s, but without sending my Public Key to a CA (Certificate Authority).

I don’t think anyone would be able to Decrypt my Emails (apart from the recipient) that way.

As already posted if both users got CSE even decryption will be carried locally.

Anyhow I got the impression that what you actually trying to say is that CSE is insecure through analogies and feelings…


Some of the very early versions of PGP operated that way. I do not know if you can find software that works in that way now. Possibly OPGP or GnuPG but then you must get you Key signed by other users of the same in order to verify the identity of your key and your key still ends up public.

read this

but as has been said with current public key encryption no one can decrypt your message except the recipient with out significant computing power and a lot of time.

I prefer CSE

Comodo can.

There must be a better way possible IMHO. In a Two Way conversation, there should only be Two People with access to the Public Key (A & B). Not Three (A, B & C).

Thanks for your help though. :-TU

the public key does not permit decryption it is used to encrypt the message. there are no back doors installed in CSE. If you do not want to believe what you are being told so be it.

sorry, we could not help you



The PRIVATE KEY is Generated on the USERS PC.
(The User is me; the person installing CSE.)



If only everyone else knew this…

Thank you! ;D

I was under the impression that you could also do it the other way around; use the Private Key to Encrypt, and use the Public Key to Decrypt. This however is False! :-TU

Just one more question:

In these Two scenario’s, was the Email simply signed with Comodo’s own PUBLIC KEY?..
(And then Decrypted with Comodo’s own PRIVATE KEY when ‘B’ goes to view it Online with Comodo’s Web Reader?)


Where I say, “Comodo’s own * KEY”, I am NOT referring to the Key’s in the Digital Certificate that the User gets Free with CSE!

I am referring to Comodo’s OWN key!

As you are specifically restricting your focus on the decryption without CSE, did you at least confirm that key generation is carried locally and that if both users use CSE both encryption, decryption are carried locally too?

J2045 are you seriously implying that there is a Comodo master key?

Because of course this would be worse than asking you if you are NOT legitimately interested to understand how CSE works but only to discourage its use (at least).

Does your anonymity guarantee over you conjectures more than the replies form Comodo staff and CEO?

Because despite you are asking Comodo while neglecting existing replies, everybody else should acknowledge that your implied concerns may be totally unwarranted and not being swayed by them.


I’m implying nothing… I was simply asking if it was ENCRYPTED with Comodo’s PUBLIC KEY.

If the PUBLIC KEY is to ENCRYPT THE MESSAGE, and the PRIVATE KEY is to DECRYPT THE MESSAGE, then in those Two scenarios, it would make perfect sense if the MESSAGE was ENCRYPTED with Comodo’s PUBLIC KEY. (If I’m understanding correctly of course!)

Again, I am referring to Comodo’s OWN key, NOT the Key’s in the Digital Certificate that the User gets Free with CSE!

An why you question implicitly assume that the process rely on a Comodo key and not on enduser key?

Could it be you are still willing to drown this topic with feelings and analogies that advocate fear? 88)

You know the above quoted feeling and analogy was actually a reply to Comodo CEO post:

Where it was explicitly stated DO NOT and CANNOT.

Again I ask:
As you are specifically restricting your focus on the decryption without CSE, did you at least confirm that CSE key generation is carried locally and that if both users use CSE both encryption, decryption are carried locally too?


… As Comodo’s PRIVATE KEY would then be needed for the DECRYPTION process. (After person ‘B’ Forwards the Email to Comodo’s Web Reader.)

If Comodo really wanted to, they ‘could’. If you want to break any Encryption, all you need is the Guy’s who created the algorithm. (Or just their knowledge of course.)

Though my concerns were that Comodo was keeping a Copy of the Key’s, which can be used to Decipher ANY Emails created with CSE, in a Data Base. I was also concerned about who had access to that Data Base and how Secure it was.

But after xiuhcoatl explained that the public key does not permit decryption, my concerns were over/relieved.

So why you choose to ask these ridiculous questions, I have no idea. :frowning:

But what you are implying that the “Guy who created the algorithm” had to do?
Please consistently and thoroughly address this fictional scenario you alone introduced in this topic by means of feeling and analogies.

Is this why you are posting your conjectures about a Comodo key?

Please reread you concerns/feelings/analogies..
Are you you guessing that a Comodo key would be needed and it will be used even when two users have CSE? How so?
Or this is something you are now guessing only for the scenario where the recipient use the online decryption services because s/he is not willing to install CSE? How so?

If this is the you comment about asking you to reply to some of the conjectures you yourself posted about…

You know, you are the “Guy who created these concerns” in the first place.

You ‘could’ have asked those questions even if you were not genuinely concerned.
But apparently you were concerned about a Lock Smith keeping a copy of the key, isn’t it?