Encryption, Digital Certificates and Signatures
What
are Digital Certificates and Public Keys?
A digital certificate is a special kind of machine-readable document
issued by a trusted Certificate Authority (CA) to an individual or
organization which is unique to them. It is kept secret and access to
it is usually protected by a password. There is a public part of the certificate
which is included with your digital signature (see below). In order for someone
to send you something encrypted so that only you can read it they require their
own digital certificate and the public part of your certificate.
An easier way to use digital signatures and encryption is to generate your own
key pair. This is like a digital certificate but you do not need a CA to give it to you,
you can create it yourself (see below).
What
is a Digital Signature and How Can One Tell If It Is Valid?
Most modern commercial e-mail clients can use a digital certificate to sign an
e-mail message as well as to encrypt it. If you sign an e-mail message
with your digital signature then a special attachment (the digital
signature) is added to the message which is generated by your e-mail
client reading both the content of the message and your digital
certificate. When you send the message to other people, their e-mail
client can compare the contents of the message with both the sender
and the digital signature. If a single character of the message has
been changed or the actual sender does not match the certificate then
the e-mail client will report that the signature is invalid and the
message has either been forged, tampered with, or both. It is very
easy to impersonate (technically known as spoof) anyone via
simple e-mail. A digitally signed e-mail is at least as assuring as a
document signed by hand in ink on letterhead and has the same legal
status in the UK (Electronic
Communications Act 2000,
Electronic Signatures Regulations 2002) and the rest of the
European Union (Directive
1999/93/EC).
Note that most e-mail that you send can easily be read by system
administrators of mail servers that the mail passes through as well as
others who monitor (sniff) internet traffic If you encrypt your e-mail
using your digital certificate (this requires that the recipient has a
digital certificate) then only you and the intended recipient will be
able to read the message.
If you use Microsoft Outlook, a message with a valid signature will
appear in your list of messages with an icon that looks like this:(note
the tiny red ribbon) and when you open the message you will see this
icon: next to a line indicating
the e-mail address of the person who signed the message. You can click
on this icon to see the internal details of the certificate including
the name of the person to whom it was issued if the certificate has
been fully notarized. Other e-mail clients will have similar
mechanisms. If you read your e-mail on a web browser then it is likely
to simply show an attachment which looks like this:
smime.p7s (web-based e-mail clients tend
not to be smart enough to check digital signatures).
Note that if you generate your own keys then you first need to ensure that
the recipient of your message has set up their email client to process the extra
text that the signing or encryption adds to your e-mail message. To encrypt you will have
had to exchange public keys. There is no formal mechanism for building up trust for
personally generated keys other than for you to digitally sign the keys that you trust
from people you have met and for them to sign your key. Keys that are signed by people that you
trust then inherit trust and an informal web of trust is created.
How
Can One Get a Digital Certificate or Genaterate Keys For E-Mail?
There are many reputable Certifying Authorities who issue
certificates, usually for a fee.
Currently updating this section to include free X509 certifying authorities.
If you wish to generate your own keys, I recommend GNU Privacy Guard (GnuPG) which can be found at
http://www.gnupg.org/. A Windows version is available to download from
http://www.gpg4win.org/. A MacOS version is available to download from https://gpgtools.org/
|