It’s probably safe to say, that being worried about secure and guaranteed authorship of emails has not yet moved into the public’s consciousness. I know my mother and father are probably not staying awake at night worried about someone faking their email address and convincing me that they want to give me tons of money, if only I’ll fill out my bank account information online. [Were our interactions only so advanced, technologically or emotionally.]

However, some people, organizations and companies are very concerned about secure emails. The main approach that these companies have taken to securing emails involves a digital certificate installed on your computer. The certificate is just a tiny encrypted file that is loaded into your email client, and/or internet browser, which then ensures your identity on the web. The certificate includes a cryptographic key, called a private key, that is associated with a public key on a key server out on the Internet. The two keys are “linked” via an algorithm and if the result of the algorithm from the two keys matches, your private key is verified.

Most major email clients, including Outlook, support digital certificates. In fact, in Microsoft will direct you to vendors who provide certificates. In Outlook 2003, go to Tools->Options->Security->Get a Digital ID, and you will arrive at the Digital ID page of Microsoft’s Office Marketplace. At the moment, one of these vendors, Comodo, will provide you with a digital ID for free. Yahoo and others will charge you $19.95. Thawte, which is not listed on Microsoft’s Marketplace, has been providing digital certificates for some time and is one of the premier digital certificate providers. (Thawte’s founder, Mark Shuttleworth, sold the company to VeriSign in 2000, and has moved on to new things.)

Once a digital certificate has been installed, you can digitally sign your emails.

I’ve just signed up with Thawte and downloaded my certificate and installed it in my browser(s)and Outlook. Mark Noble provides a great tutorial, for those interested in the process of getting and configuring a certificate from Thawte.

Having configured the Outlook client to add your digital certificate your emails get a little ribbon icon on them, essentially telling the recipients of your emails, for better or worse, that you indeed sent the email.

As the digital certificates are local — that is they reside on a workstation — you can’t send signed emails from your web-based account while at an Internet Cafe in Kenya.

How you ask, does Thawte, or any of the other digital ID providers actually authenticate you? Well, that’s a little more complicated. Thawte will authenticate your email for you initially, which is all that we’ve done here. Essentially, Thawte is willing, at this point, to only say that this email requested this digital certificate. It doesn’t say that you, your name, or any identity associated with you is actually attached to the digital certificate.

To do that, Thawte uses what it calls a Web of Trust. These are face to face interactions with Thawte notaries. Notaries are everyday people, usually a little computer crazy, that have been notarized through the Web of Trust. If you go to get “trusted,” you will show the notary a picture id (a license or a passport) and they’ll verify that you are who you say you are. At that point, you may update your digital certificate to show that your signature is actually coming from you.

Advertisements