Because mail crosses the network between your workstation and server, and between servers, it is vulnerable to being read by eavesdroppers and to being altered by them en route. To protect against these vulnerabilities, Notes allows you to encrypt and sign messages.
When you encrypt a message, you encrypt it in such a way that only the named recipient can decrypt and read it. You do this by encrypting it with the recipient's public key. You can obtain another Notes user's public key from his/her Person record in the Domino Directory. You can obtain a non-Notes user's public key (if one exists) from other directories (Domino or LDAP) that your administrator may have made available to you for that purpose. And you can store copies of people's public keys in their Contact documents or in Cross-Certificate documents that Notes may have created for you in your Personal Directory.
Text encrypted with one's public key can only be decrypted with one's private key. In a well-secured Notes domain, the only useable copy of one's private key is in one's own Notes ID file. So, as long as each Notes user does not share with others the password of his/her Notes ID file, only your recipients will be able to read encrypted mail you send to them.
To assure your mail recipients that messages you send to them were actually sent by you (and not some imposter) and have not been altered en route to them by some interloper, you can sign your messages. When you sign a message, you create a "digest" of your message, encrypt the digest with your private key, then send the encrypted digest along with the message to the recipient.
Your recipient decrypts the digest with your public key. That assures the recipient that you must have created the digest, because a digest encrypted with your private key can only be decrypted with your public key, and (in a well-secured Notes domain) yours is the only useable copy of your private key. In addition, the recipient can create his/her own digest of the message. If the recipient's digest comes up identical to the one you created, the message can not have been altered en route.
Mail encryption and signing are enabled by default for Notes mail, but not for Internet mail. You can use them whenever you want when sending mail to other Notes mail users. But you can only send and receive signed and/or encrypted Internet mail if your Domino administrator has implemented Domino's Internet mail security features, known as Secure MIME (S/MIME). See Chapter 3, "Email Basics," to learn how to send signed or encrypted mail.