Abstract: On deep research on the workflow of non-repudiation and fair-exchange protocols in electronic commerce, it is proved that these protocols with trusted third party need to run in four steps at least. The analysis of an existing protocol shows that it needs to run in four steps, rather than just run in three steps it claims. On the principle that security protocol and cryptography system should be designed separately, a common model of convertible authenticated encryption schemes is proposed by analyzing some existing convertible authenticated encryption schemes. By using this model, a secure email protocol with semi-trusted third party is designed. Result shows that this protocol has non-repudiation features of both sender and receiver by formal analysis.