An email security certificate is an electronic analog of passport;
thereby, the mechanisms of issuance and use of the passports are
similarly
applicable to the certificates.
Email security certificates are issued by the authorities with
undoubted credibility (compare with Department of State in US or
Home Office in UK).
Basically, an email security certificate is an electronic
document with a lot of fields such as
your name
email address
your public key (which you can safely share with others)
your private key (this one you
keep secret)
name of the authority issued the certificate
digital signature produced by the certificate's issuer
validity (expiration date)
A certificate binds together email address and personal identity
data which in turn sealed by digital signature produced by the
trusted authority (compare with stamps used in passport issuance).
There are revocation centers where you can revoke or even cancel
your certificate (compare with a situation of lost or stolen
passport)
Email certificates are equally used to digitally sign email
messages, and encrypt contents of the messages.
An authority is someone who can clearly ascertain the user's
identity and no one would doubt it.
Actually, this is always a matter of two: you and your
recipient must trust the authority which you choose to verify yours
identities.
Because there might be quite a lot of potential authorities
(from your mutual friends to trusted third party organizations) with
different levels of trust, there was a need for the authority
regulating mechanisms and finally all has come to the hierarchical structure.
There are a few top-level widely known authorities and a
lot of less-known ones which obtained their own certificates from
the authorities up the hierarchical ladder.
Authorities verify user's identity by issuing a digitally
signed certificate which can be free or not depending on its
expiration date and level of confidence in the certificate's issuer.
Normally, authorities attest that the public key contained in
the issued certificate belongs to the person with mentioned in the
certificate personal data, while the certificate's owner identity is
not verified.
Where to get a certificate?
Anyone can obtain his or her own certificate from an authority; there
are several very well-known and certainly trusted authorities producing
mostly paid-for certificates:
VeriSign
(Digital IDs for Secure Email 1-year
certificate for 19.95 US dollars)
Thawte
(Personal E-mail Certificates - free to individuals for
non-commercial use )
GeoTrust (Client
certificate for 19.95
US dollars)
How to share a public part (a.k.a. public key) of a certificate
with others?
When you got your own email certificate, to begin to properly use it,
first you have to share your public key shipped with the certificate
with those
to whom you are going to send digitally signed emails
from whom you wish to receive encrypted email messages
At the moment we are only dealing with email certificates installed
on Outlook Express; to extract a public key from such a certificate you
should use Certificate Export Wizard embedded in Outlook Express (see
under "Tools"
-- "Options" -- "Security" -- "Digital IDs..." -- "Export")
and just follow the instructions. A public key extracted with the help
of the wizard will be saved in a file typically with a .CER file type
(extension), later it can be delivered by usual means to any persons
concerned. Please, refer here for more
information on extracting a public key from a certificate installed on Outlook Express.
