Using MeringueMail

MeringueMail is described more thoroughly in the documentation that you can download. MeringueMail consists of client software that is used to generate keys and to retrieve and decrypt encrypted forms from a mail server, and JavaScript routines that encrypt forms.

1. Generate an RSA Cryptographic Key
Before you can use MeringueMail to encrypt forms you need an RSA key pair. The key pair consists of two keys: a public key that is used to encrypt your forms and a private key that you keep to decrypt the forms. This key pair is generated using the MeringueMail client.

You must specify your name, an e-mail address, a password that will protect your key and how long you want the key to be (as shown below). Your key should be either 1024 or 1536 bits long.

The generated public key is shown below. A "key identifier" is associated with each key generated. The key ID for this key is "4591f672...". The private key needed for decryption is not shown.

2. Export your RSA Public Key
You must package your public key with your website. The public key can only be used to encrypt forms; it cannot be used to decrypt them so there is no danger in putting this key on your website. This key is exported as a JavaScript file called "keys.js" from the MeringueMail client software.

The contents of the "keys.js" file will be something like the JavaScript shown below. Obviously all the values for your key will be different to those below. The information in this file contains the public key, your name, your e-mail address and the key ID. The e-mail address contains a "#" rather than a "@" so that spambots cannot find your e-mail address on your website. MeringueMail replaces the "#" with a "@" before posting your form.

recipients[ recipients.length ] = "Ernest Hammingweight";
publicKeys[ publicKeys.length ] = "badaf4b55185d8aeeba1ecf52e6ff0c5d720c6782a0992e78a70310122d1017e
keyIds[ keyIds.length ] = "4591f6729cb41117476f7393df4f1572f2b950cf";
emailAddresses[ emailAddresses.length ] = "";

3. Create your Form
After generating your key, you can create your form. The HTML below creates a simple (and rather stupid) form. The form has the name "survey".

The code in bold is the code that needs to be added to make the form work with MeringueMail. The amount of code that needs to be added to your form is negligible. The MeringueMail code is all invoked from the JavaScript source file included in the head of the HTML.







Please enter your views on the proposed amendments
to rule #3.14.159-27


4. Visitors complete your Form
When visitors visit your web site they will be able to complete your form. The screen shot below shows the form corresponding to the HTML above. The inclusion of the MeringueMail code does not change the way the form is rendered.

When the form is submitted it is encrypted. If you use Response-O-Matic to process your forms, your visitors will see the encrypted form contents as shown below (the encrypted data will be different every time even if they submit exactly the same data). The form name is not encrypted and the hexadecimal digits correspond directly to ASCII characters in the form name. The key ID (4591f672...) is submitted along with the form so that the MeringueMail client will know which key to use to decrypt the form.

If you don't like the way Response-O-Matic displays the submitted form, you should consider the Bravenet form processor. In that case you can create your own page to tell visitors that their form has been submitted. The default "thank you" page is as below.

5. Retrieve the Forms from your Mail Server
The MeringueMail client lets you log onto your mail server and retrieve your e-mails. Only MeringueMails will be removed from the server; other e-mails will be left on the server.

The forms are then downloaded. The image below shows one MeringueMail in the "Inbox". The contents field shows that the submitted form has the name "survey".

6. Decrypt and read your MeringueMails
To open and read the submitted form, you will need to supply the password protecting your RSA private key (see below). If you forget your password you will not be able to read your MeringueMails.

The following screenshot below shows the successfully decrypted form.

Go to the main MeringueMail page.

Go to the page explaining how to store decrypted forms in a database.