Ask Slashdot: How Do I Request Someone To Send Me a Public Key?

First time accepted submitter extraqwert writes "An organization wants me to send them my personal data by email. I certainly do trust them. However, I would like to politely ask them to send me their public key for encryption. The secretary probably does not know what it is. But they do have a pretty good IT department, so they can figure out. My question is, what is the proper wording for such a request? What is the right terminology to use? Should I say ``please send me your RSA key''? ``Public key''? ``PGP key''? Is there a standard and reasonable wording for such a request? (On my end, I am using GNU PGP: http://www.gnupg.org/ ) Any suggestions on how to be polite in this case?"

This is why encryption isn't popular

Simple and expected processes like this need to be made truly dead simple and nearly automatic. Instead, there are a ton of different formats for keys depending on which the usage and you need to understand a significant amount about what's going on under the covers to do even these kinds of simple actions.

Incidentally, here's the answer to the question. It's anything but clear, but likely to be clearer than any answer you get here.

Re:This is why encryption isn't popular

[Octorian]

And heaven help you if you're using a web-based Email system, which basically breaks all these options. You know, like nearly all "normal" people are now doing.

Re: This is why encryption isn't popular

[shitzu]

Just as information - in Estonia we have national id cards which have PKCS11 for digital signing and encryption. Everyone already has a key that can be used to encrypt and/or sign data. For instance, the state sends speedcam fines to you via email that are encrypted to your public key and digitally signed by a police officer. Any person can encrypt data to any other person's public key provided that the recipient has an id card with valid certificates. The only caveat is that when the id card expires, the data is unencryptable because new certificates are generated in the new card and then signed by CA.

Re: This is why encryption isn't popular

Would this mean that the gov't office that gave you the national ID card is also responsible for generating & storing your private key? If this is the case, it means the gov't has everyone's keys, and the encryption becomes meaningless. :/

Re: This is why encryption isn't popular

[IamTheRealMike]

Some chips have the ability to generate key material inside themselves that never leaves and requires destroying the chip to obtain. If the cards were using such a chip then even the government would not necessarily have the private key. Whether Estonia does that or not I don't know, but of all the governments I fear in the world, the government of Estonia is not one of them. I mean, please name one other government that actually encourages and makes it easy for its citizens to use strong end to end encryption?

Re: This is why encryption isn't popular

[Bert64]

Well not in the case given, where you are using the key in order to communicate with the government (eg speeding tickets).

Banks should really do this, supply their customers with keys (store them on the cards that banks already give to customers) and then all electronic communication to/from the bank is verified using these keys. Should cut down on most of the phishing scams targeting banks.

Re: This is why encryption isn't popular

[we3]

No, the key would actually be generated on the card, as it has its own cryptographic processor, and cpu. Its called a smart card.

I have no idea if they are actually doing this, as I am not estonian and am completely unfamiliar with thier ID card issuing process, but he seems to be implying that they do.

Remember, there are two ways to get a key on a smartcard. You can have it generate a key(which CAN be signed without the key leaving the card), or you can generate the key externally and then import it.

Re: This is why encryption isn't popular

[michelcolman]

Well, if I were leading a country and wanted to spy on all my citizens' e-mail, giving them all an easy way to encrypt their mail using keys I provided sure seems like a great way of achieving that goal.

However, the point is that you can securely communicate personal data with the government. In that case, you are not worried about the government being able to read your mail as they are precisely the ones you are communicating with. You just worry about criminals outside of the government. Also, you can safely transmit any data that is already known by the government to any third party. Name, address, credit card numbers, etcetera.

Now, if you want to communicate with your terrorist buddies about how to blow up the Estonian Parliament, encryption with your national ID card is probably not the best idea.

(Note to NSA spies reading this: yes, I know your filter was triggered by the phrase "blow up the Estonian Parliament", sorry about that, false alarm, nothing to see here)

Re: This is why encryption isn't popular

[BlueStrat]

(Note to NSA spies reading this: yes, I know your filter was triggered by the phrase "blow up the Estonian Parliament", sorry about that, false alarm, nothing to see here)

NSA, are you actually going to fall for that old ploy? Parent post is probably a message to an Estonian sleeper-cell.

Listen, "michelcolman" (is that your code-name?) the NSA aren't your average morons!

Strat

Re: This is why encryption isn't popular

[shitzu]

The key pair is generated INSIDE the card. This is the norm with most PKCS11 cards. The private key never leaves the card, your public key is signed by state. So the state does not have your private key per se.
But that does not necessarily mean they have no means to decrypt it some other way - i don't even pretend to know that.

Re: This is why encryption isn't popular

[shitzu]

In Estonia these id cards are used for everything. You can log into banks, you can communicate with any state official. You can sign any contract digitally with them. You can encrypt documents to another person's public key. Etc. This is much simpler than banks and everyone giving out their own cards - i only need one.

Re: This is why encryption isn't popular

[iluvcapra]

The private key never leaves the card

Right, and who had possession of the card before you? These sorts of schemes are perfectly fine for government communication, signing contracts, banking, whatever, but they don't provide "4th Amendment Compliant" privacy for things like personal correspondence or use within private and commercial organizations.

Re:This is why encryption isn't popular

[hairyfeet]

As the guy that fixes and sets up PCs 6 days a week I can confirm this, in fact I've only had 2 users still use download mail in the past 5 years and both were retired corporates who were used to Outlook, everybody else? Yahoo and Gmail.

So if anybody wants encrypted emails to go anywhere there really needs to be some sort of browser based encryption that can work with Yahoo and Gmail, perhaps by making a generic "here is the email" letter with the actual email as an encrypted attachment? Oh and it'll need to be install-able as an app on Android and iOS, because nothing turns folks off more than not being able to check their email on their smartphones and tablets.

Re: This is why encryption isn't popular

[obarel]

Whether or not you want to trust a card given by the government is one thing.

But if the government actively encourages people to encrypt stuff then there is greater awareness of privacy and encryption. It means that more people understand the concept of private/public keys and are more likely to generate their own keys and use them. They're also no afraid of encryption as a concept (and a question such as "how do I ask for their public key without sounding like a geek" doesn't exist). I think that's a positive thing.

Other countries actively discourage privacy - yes, you can encrypt stuff, but if you don't give us the password then you'll end up in jail and we don't have to prove a thing. And why teach the masses to encrypt? It's so much easier listening to communication in the clear, and we can even perpetuate the notion that if you encrypt your files or communication then you're clearly hiding something and you're probably a dangerous criminal/terrorist/paedophile, because normal people don't use encryption.

Re: This is why encryption isn't popular

[Let's+All+Be+Chinese]

Simpler, yes. Desirable, no. It easily means that everything you do in any context is now easily linked. A state-mandated and -enforced real name policy. This is problematic for the same reasons that facebook or google forcing this on everyone is problematic. There are serious privacy problems with this.

For example, simply knowing what key a message is encrypted to --and this is generally listed on the outside of a message and thus public-- means that you can do traffic analysis. And so you know which parties are talking to which other parties. Someone getting a lot of messages from the taxman or the state-run fine collector means what, do you think? Or maybe a bank you're trying to get a loan from saw your message stream and now knows that you're also talking to a few other banks, or repo men, or what-have-you. Hmmm.... So even with confidentiality of the contents, you're still leaking information.

As such, this sort of card is only half the solution, especially since the state mandates that you have to use it, and it is so easy. What we really need is a single system that would support a single card (or multiple cards, if you'd like) with multiple identities.

I don't strictly mean birth certificate-backed identities, but at least so that you can separate out the loyalty cards and bus passes so that they can sit on the same card yet not tattle on each other. Because each such a card is an "identity" too, carrying a history, and I for one do not want them to be state-enforced on the same identity. In fact, this is the same reason why companies cannot be allowed to gather SSNs without clear law-prescribed purpose, and curiously, that is enshrined in law. Bit of an oversight that this is not.

No, simply saying "you can't mix that information!" is not enough, because it's unenforcable. You need a system where the holder of the identities can control who gets to see what. If the card doesn't support that, it is deficient, and a danger to its holder.

Re:This is why encryption isn't popular

[Lonewolf666]

Encrypted attachment. The mail body only contains the hint that the real data are in the attachment.

Of course, that won't help you if the recipient is not familiar with using encryption at all...

Re: This is why encryption isn't popular

[shitzu]

You mean a standard e-mail client like for example Thunderbird that has existed for more than a decade and could check all your 8 accounts easily and with more functionality than you could ever imagine on a mobile device and has zero advertisements?

Re: This is why encryption isn't popular

[shitzu]

Yup. That's pretty much the case, as i said. You lose the encrypted documents. Generally people don't use it to encrypt day-to-day communitcations. Many people here confuse security and privacy (especially from the government). While our id card system is extremely good and easy for security, its no good for privacy from the governement.

  If i exchanged documents with someone that i want to hide from big brother, i would use PGP. But for legal communications with other individuals or businesses or government, i use the id card system.

Re: This is why encryption isn't popular

[Nemyst]

Um, you do realize that this is all for rather official use cases where you're going to be identified regardless? I doubt your bank only knows you as John Doe, let alone the government. Contracts also tend to require identification.

Re: This is why encryption isn't popular

[niteshifter]

It's not about the ID itself, that is a 'game token' if you will. The danger lies in how tokens are linked and evaluated by all the other players in the game. Especially if those other player's interests do not consider your interests as worth consideration.

Re:This is why encryption isn't popular

[hairyfeet]

Uhhh...did you read my post or just see the words "X86" and automatically think of a PC? What I thought I had made clear was the much lower power usage of the new chips by AMD and Intel is gonna lead to them both being used in the places that ARM is used today such as tablets and phones. If you want to get a taste or if any devs want to try AMD already has a prototyping board out that is 4 inches by 4 inches for $199.

And this isn't even the latest and greatest, the new APU they just released a few weeks ago uses less than 3w under typical loads and that is for a dual core like this with a Radeon GPU that does 1080P and I bet even plays a lot of games, I know on my nearly 4 year old Bobcat dual i play the Portal series, L4D and GTA:VC (it would probably play the others but I don't have them) and there are plenty of videos of guys playing even more hardcore games like Crysis on them and getting 30FPS with reduced bling.

So you seem to be confused friend, nobody is gonna make you go back to a PC if you don't want to, you are simply gonna be able to have the power of the PC in your pocket. Once Intel and AMD phones and tablets start hitting en masse I'm sure that all your favorite phone apps will be ported, after all its the form factor not the arch that makes the app work, you'll just be able to do a HELL of a lot more with your mobile devices thanks to the insane lead X86 has when it comes to IPC. Hell Intel has said both the new Atom and the new CULV mobile chips will have "reduced function" mode which is where the majority of the chip shuts completely down but its still able to do basic tasks, like say listen to music or receive messages.

I'm telling you all you have to do is look at the benches to see the writing is on the wall for ARM as their latest and greatest can't beat a first gen Core Solo or Athlon 64 and those are 6+ year old chips, you compare the best ARM has to offer against the weakest AMD and Intel offers today and its no contest, the X86 units just curbstomp ARM when it comes to the amount of useful work per cycle. Will ARM die? No but most likely it'll go back to the original use before the ARM craze took off, being embedded controllers in everything from MP3 players to kiosks.

PGP won't help you

[MichaelSmith]

The recipient will decrypt you data and lose it or possibly misuse it. That is the risk. But by all means ask for a secure way to get the data to them.

It's a lost cause

[symbolset]

If the secretary can find somebody to decrypt your info, she will handle it improperly. Probably scan it directly to their compromised CMS. This is not a company you want to work for.

Party!!!

[c0lo]

Attend or organize a key signing party.

If they need the information...

[rahvin112]

If they need the information they should have a secure way to receive it. I just refinanced, the broker had a secure site (SSL password protected file vault type interface hosted on their own servers) with a web interface that I could upload documents to.

If they don't have such a system in place already and routinely request and access peoples personal information your trust is severely misplaced.

Re:If they need the information...

[rahvin112]

It's nice you know so much about their system from a single sentence. I especially like the fact that in particular you know so much about their system that it was accessible by anyone other than the loan officer and that you are so certain a virus not only was on their system but that it could scan for SSNs, including of course from scanned documents in PDF format (in other wise a bitmap image).

Do you often speculate so egregiously about something you do not even know the anything about?

You act as if you know intimate details of their IT configuration, security procedures and even employee reliability and you don't even know who the bank was (let alone anything else).

Honestly if I have to worry about the broker (who also happened to be a bank) having employees that are going to run off with my SSN then whether or not the transmission was secure is of little importance. I might add that just because you did it hard copy the same rambling risks you listed still applied to you or do you honestly believe the paper copies you received were the only copies ever made or that those same documents in electronic format weren't stored on their servers?

Re:If they need the information...

[Demonantis]

I don't think he is outside the realm of reasonable speculation. Sony had their psn servers compromised and had credit card data ripped off. The connections inbetween were complete secure, but the data still got stolen. It also wasn't a rogue employee either. Data protection laws really need to be tightened up and enforced with auditing. A lot of the stuff is almost as good as cash and should be treated as such.

How?

[macraig]

How Do I Request Someone To Send Me a Public Key?

I prefer signal fires myself.

Switch to an easier technology

[mysidia]

PGP is beyond the grasp of the average secretary or other end user. Unless you know for a fact that the person disseminating the data is familiar with PGP; you should probably not be asking them for their public key.

I strongly recommend an encrypted PDF, Word Document (.DOCX), or Excel file (.XLSX); make sure to choose a strong password.

I like the Office 2010 strong encryption and use of key stretching to make brute force password attacks hard --- but there is a free of charge reader available for PDF documents, and you should pick a strong password for encrypted documents anyways.

Technically, you could implement DRM rights management services on your end, so the user has to contact your organization's RMS server over HTTPS for a license every time the document is opened, but it requires a trust relationship between orgs, or you having an account for the user.

But the simple password protection is a very nice way to protect it. You can include a note in the e-mail message that you will be calling them to give them the password, so they can see the document.

Then there is no confusion about what a 'PGP key is'. If you _regularly_ exchange a lot of documents with them, then you might ask to discuss using PGP

Re:Switch to an easier technology

[jamesh]

Agree. If you think it's okay for the untrusted secretary or IT department of an organisation to supply the public key then you don't understand public key encryption. Just use a password protected file and supply the password out-of-band.

Buying a house

[MrEcho.net]

I ran into this situation very recently, im in the process of buying a house. It was a bit of a shock to me how much personal information they wanted. And most through email. And how my data is being passed along from business to business without good security.

I use good practices on my side like two factor authentication, and ssl on everything, even a bit of pgp. But the other side who knows.

you are pushing shit up hill with that request

[bloodhawk]

You are better off just asking for "A secure means to submit your information" and list a few you are happy to use, Maybe they will send you a public key for secure email, maybe a secure web site or maybe they will just say if you are concerned you can get it couriered to them. If they are confused then chances are they have no system in place for dealing with the request and hence not even secure email is any good as that only protects the data in transit which they will certainly load into some HR system somewhere after it gets there anyway.

Asking Slashdot for advice on being polite??

[bscott]

If you don't have the social skills to phrase a polite question, Slashdot is perhaps not the ideal place to go looking for advice...

Technical issues with giving anyone your private key aside (I can't think of any reason to give it out to someone no matter how much you trust them) just explaining things clearly should work for any reasonable person:

"I have no problem with you having my personal key, but I am concerned about the integrity of the data while in transit. I would appreciate it if you can supply me with a public key for your organization, then I will be able to encode my key so that only you can decode it. This will ensure that our mutual privacy won't be at risk due to using an insecure communication system such as Email. Thanks very much!" etc

Re:just be straight up

[jamesh]

If the data is important enough to encrypt then the public key is important enough to get properly. Asking the person who answers the phones to send you the key is not properly. Even asking the IT department to send it probably isn't good enough as they are in the perfect position to give you their fake key, intercept the email, decrypt it, then re-send it with the real key to the real recipient.

If you are just worried about casual snooping of your "personal data", then just use something like 7zip and provide them with the password out-of-band.

Re:IT Dept

[viperidaenz]

So now a random guy in the IT department has the data, as well as the intended recipient, who then forwards it on in plain text to the PA of the guy who wants it.

Simple. Don't.

[Xiph1980]

I'm sorry to say, but the simple fact of the matter is that PGP/GPG isn't used anywhere in corporate life. Not even in banking-related companies.
For one, people don't perceive email as something that can easily be snooped, and if they do they'll think it's something like a chance encounter as if it's a regular piece of mail where you have to be at a certain point at a certain time to be able to snatch the mail, plus have to have a reasonable idea what you're looking for as a mail thief.
Secondly, and I cannot stress this enough, it's a f'ing drag to use. It's not easy to install. It's not easy to set up, and it's far from user friendly on a day to day basis.

Besides the fact that email encryption isn't commonplace, as long as you aren't sending you pin number or medical data on a regular basis (daily), why bother to be honest. You'll get a stamp as "that weird guy" if you start about PGP etc, and that'll last. If you want to send it securely, just wrap it in an encrypted container, like a ZIP or RAR file and phone them the password.

No, they don't.

[ledow]

"An organization wants me to send them my personal data by email."

"But they do have a pretty good IT department"

No. They don't. Or their IT department is seriously underpowered in terms of getting through to their staff. Don't send personal data by email. If they don't have a system to let you do this (e.g. secured web form, etc.) then their IT department is already a bit of a failure. If they do, their staff would use it and tell you about it.

If you want to ask, just ask. "I'm not going to send personal data by unencrypted email - what is your procedure for encrypted email?"

Chances are, they won't have one and will just ask you to send the details unencrypted or by another method entirely.

Re:just be straight up

[icebike]

This.

Ideally, Public keys should be exchanged in person, or be obtained by a third party that you trust.

Failing that, a public key for some company or person with whom you wish to send encrypted email can often be found on their website. And if its been there for a while, and can be verified by a key server, then it is probably good enough to send them encrypted mail with, but you still don't know for sure who they are.

But at least you know that what you send won't be seen by every prying eye along the route.

But the sad part is that 98 percent of the companies you might deal with haven't a single clue what a public key is.

In my day job we've had our public key published on our Web site for 10 or more years, and get maybe one or two emails a year, usually paying by credit card, from cluefull people.

Once set up, all the major email packages can handle pgp. Shame on them for making it an add-on, but its still available, even for gmail and Hotmail, etc. Just stay away from their web interface and set up a decent email software. You can find these even for Android.

Extensions needed!

[DrYak]

We need some developers to setup-in and develop in-browser Firefox/Chrome extensions (or userscript, or whatever) that seamlessly integrate encryption into popular webmails.

You see plain text on the screen, but what actually goes into the "textarea" of the form is encrypted.
There are already javascript "Rich Text Editors" which do similar jobs (you see a nicely formated text on the screen, but its HTML/BBCode/WikiCode going into the textarea). We simply need something similar, but for encryption and packed into the browser itself through extension mechanisms.

(Note: Proper security comes from *end to end* encryption. It's therefor mandatory that the encryption/decryption layer is something that the end users install on their browser, and not something provided by the webmail site, even if it's client-side script code. Though it would help if webmail sites provided a few hooks or micro format to simplify the plugin of the encryption layer).

Bonus point if someone else manage to do the same with OTR and webchats.

Re:Extensions needed!

[AlphaWolf_HK]

Or perhaps we ought to just take email back to the drawing board. Something I've pondered is an "email 2" where encryption is required. In addition, to kill email spam, any server that sends out email could be required to have a DNS record identifying it as an established SMTP server, and all POP3/IMAP servers only trust them instead of just accepting emails from any IP address that probably belongs to grandma's compromised PC. Of course, reverse arpa addresses are considered invalid.

Webmail providers could do something akin to mega.co.nz style vault access, and only the user's password could decrypt the messages they receive. Something to the effect of having the user store the RSA keys on a key fob (or otherwise just keeping them local) and when they log in they decrypt the messages, and then re-encrypt using their vault key and store them on the server.

Email 2 addresses could be identified by adding say a greater than sign after the @, indicating to the software stack that only secure transmission is permitted, say email2user@>domain.com

That should also take care of your NSA problem, though companies like google would never be on board since they can't keyword match ads to messages.

Re:Extensions needed!

[joshuao3]

Your first paragraph is already implemented in something called SPF. It already works using the existing DNS infrastructure. The problem is that creating SPF records is effectively voluntary, so operators of mail servers are only able to use existence of the records as a way to increase trust, and not using the absence of the records as a way to decrease trust. Until everybody is on board with it, unfortunately, it's usefulness will be limited.

And, just for clarity, a POP3 "server" doesn't accept mail. POP3 is a protocol for retrieving mail from a mail server that likely received the mail from another mail server via SMTP. SMTP is the problem, not POP3.

And no, it won't solve the NSA problem, or the Google problem. They'll just build bigger and faster computers to decrypt the emails.

Re:Extensions needed!

[watice]

You mean like http://www.mailvelope.com/ ? Found it in a comment on a similar article this week, have been using it since.

Re:Extensions needed!

[anagama]

Is there a reason you would use your private key to send encrypted emails to someone? I don't understand.

My understanding is this:

A uses B's public key to send message to B, B decrypts with B's private key.

A slot safe is a better analogy than keys -- anyone can put stuff in the safe's slot, but only the owner who knows the combination can open it and read the messages people put in there.

But -- maybe you're describing a use scenario I'm not familiar with. And if that is the case, I'd like to understand it.

Re:Extensions needed!

[Immerman]

The common term is signing, I should have mentioned that. If you encrypt with your private key it does nothing to hide the message since anyone can decrypt with your public key, but it does let everyone verify that the message did in fact come from you and hasn't been tampered with - the signature is exactly as secure as the encrypted communication channel because it is the exact same mechanism.

As an example, let's say the president wanted to send nuclear missile firing orders by email. Now maybe he'd want to keep the orders secret, and he'd encrypt with the missile silo's public key for that. But far more important would be a mechanism in place to verify that the orders actually came from him and not some script kiddie spoofing his email account. That's where the signing comes in - he *also* encrypts his email with his own private key, and the silo can now confirm that the message came from the right person.

It's sort of the next step beyond the "secret codeword" confirmation - with a codeword everybody who needs to be able to confirm their orders has to know what the codeword is, and that's a large attack surface for those looking to compromise the system. With digital signing only the president needs to know the codeword, and never tells it to anyone else. Everybody else just needs his public key to confirm that he does in fact know the codeword - thus the system is much more difficult to compromise. That such functionality comes essentially for free with any public/private key encryption channel is an added bonus.

Re:Extensions needed!

[rthille]

Fucking Google ignores SPF records. Just the other day at work we were checking on the viability of spoofing from our cloud based servers into our Google hosted-domain email (to make it easier for an internal automated system to assign issues to the correct customer). So I spoofed the "From:" header. No problem. Yay, it'll work! :-)

Then, curious, I spoofed the envelope sender for my personal domain which specifies a hard-fail. Google nicely logged the hard-fail and delivered the email anyway. It's nice to know that people should have no trouble joe-jobbing me to Google email customers. Fuckers.

EXPLICITLY ask them NOT to send the private key

[lkcl]

this is really important. people who don't know what ssh keys are will typically send you the id_rsa (private) key file.

IT IS VERY IMPORTANT that you say to them EXPLICITLY and VERY CLEARLY, "please send me the public key file *only*. DO NOT send me the PRIVATE key. you can identify the private key because it is named xyz. i ONLY want you to send me the PUBLIC key, it is named xyz.pub. if you send me the private key, you will have to destroy it and we will have to start again, so ONLY send me the PUBLIC key, ok?"

and get them to acknowledge what you've said. do not be afraid to "piss them off" by having to be so absolutely specific. make sure you end the sentence with what you *want* them to do, *not* what you *don't* want them to do. depending on the person they could potentially remove the "negative" by their subconscious and do exactly what you ask... with the words "no", "not", "don't" etc. removed.

also if you want to be paranoid then use the signature-thing (fingerprint). get them to read it out to you over the phone (not by email).

Re:just be straight up

[DarkOx]

Just imagine if we had some system were you could cryptographically secure DNS values, and some defined TXT record were you could expect to get an organizations public key.

This would work nicely because the client could safely and automatically fetch the key, encrypt the message, or just sign it. It would then be ciphered at least as far as the last hop publicly exposed mail server, safe from prying eyes at your ISP, their mail rescue service, etc.

Sure it only works for org level keys, but it would be an easy step in the right direction

S/MIME

[X10]

I use www.djigzo.com. It's open source, it uses S/MIME, it's server based, and it's easy to use.

Re:just be straight up

[xaxa]

I'm not sure if you're being sarcastic, but I searched and found this: http://tools.ietf.org/html/rfc4398 "Storing Certificates in the Domain Name System (DNS)"

GPG supports it! http://www.gushi.org/make-dns-cert/HOWTO.html

It works for emails -- alice.example.org is for alice@example.org.

Use the post office

Type the reply on a Royal typewriter and take it to your local post office. Use Certified or Registered mail if you feel squeamish about sending personal information. The NSA can't open a properly mailed letter.