Using MeringueMail

MeringueMail is described more thoroughly in the documentation that you can download. MeringueMail consists of client software that is used to generate keys and to retrieve and decrypt encrypted forms from a mail server, and JavaScript routines that encrypt forms.

1. Generate an RSA Cryptographic Key
Before you can use MeringueMail to encrypt forms you need an RSA key pair. The key pair consists of two keys: a public key that is used to encrypt your forms and a private key that you keep to decrypt the forms. This key pair is generated using the MeringueMail client.

You must specify your name, an e-mail address, a password that will protect your key and how long you want the key to be (as shown below). Your key should be either 1024 or 1536 bits long.

The generated public key is shown below. A "key identifier" is associated with each key generated. The key ID for this key is "4591f672...". The private key needed for decryption is not shown.

2. Export your RSA Public Key
You must package your public key with your website. The public key can only be used to encrypt forms; it cannot be used to decrypt them so there is no danger in putting this key on your website. This key is exported as a JavaScript file called "keys.js" from the MeringueMail client software.

The contents of the "keys.js" file will be something like the JavaScript shown below. Obviously all the values for your key will be different to those below. The information in this file contains the public key, your name, your e-mail address and the key ID. The e-mail address contains a "#" rather than a "@" so that spambots cannot find your e-mail address on your website. MeringueMail replaces the "#" with a "@" before posting your form.

recipients[ recipients.length ] = "Ernest Hammingweight";
publicKeys[ publicKeys.length ] = "badaf4b55185d8aeeba1ecf52e6ff0c5d720c6782a0992e78a70310122d1017e
ccfab470d4be79b755f45b08f2a43df8938776a355ff18f54f00ab98ac982dd6
89d5a5450d0e362d1318f6fb7fcc73acf562f93313abc80d0519743fb4ba338f
a65deee1e1fda5b8a0252e0158bc87afbc2aed703f3ffef12aa864479fadda6b
32e20f04ba5a26487be3dfdd1a6bfd5ebe3e5fe8421f320698e4138bfb51b4fb
d14f43ff8eab92a3f8ef6ecff0cc995efaa51822aed01ccd5c2a051439026701";
keyIds[ keyIds.length ] = "4591f6729cb41117476f7393df4f1572f2b950cf";
emailAddresses[ emailAddresses.length ] = "hammingweight#fastmail.fm";

3. Create your Form
After generating your key, you can create your form. The HTML below creates a simple (and rather stupid) form. The form has the name "survey".

The code in bold is the code that needs to be added to make the form work with MeringueMail. The amount of code that needs to be added to your form is negligible. The MeringueMail code is all invoked from the JavaScript source file included in the head of the HTML.



Survey




Name


Profession

Cobbler

Blacksmith

Other


Please enter your views on the proposed amendments
to rule #3.14.159-27



onclick="submitForm(this.form)">





4. Visitors complete your Form
When visitors visit your web site they will be able to complete your form. The screen shot below shows the form corresponding to the HTML above. The inclusion of the MeringueMail code does not change the way the form is rendered.

When the form is submitted it is encrypted. If you use Response-O-Matic to process your forms, your visitors will see the encrypted form contents as shown below (the encrypted data will be different every time even if they submit exactly the same data). The form name is not encrypted and the hexadecimal digits correspond directly to ASCII characters in the form name. The key ID (4591f672...) is submitted along with the form so that the MeringueMail client will know which key to use to decrypt the form.

If you don't like the way Response-O-Matic displays the submitted form, you should consider the Bravenet form processor. In that case you can create your own page to tell visitors that their form has been submitted. The default "thank you" page is as below.

5. Retrieve the Forms from your Mail Server
The MeringueMail client lets you log onto your mail server and retrieve your e-mails. Only MeringueMails will be removed from the server; other e-mails will be left on the server.

The forms are then downloaded. The image below shows one MeringueMail in the "Inbox". The contents field shows that the submitted form has the name "survey".

6. Decrypt and read your MeringueMails
To open and read the submitted form, you will need to supply the password protecting your RSA private key (see below). If you forget your password you will not be able to read your MeringueMails.

The following screenshot below shows the successfully decrypted form.

Go to the main MeringueMail page.

Go to the page explaining how to store decrypted forms in a database.