Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Class 1 Digital Certificate

Securing your Email – Digital Certificate for Secure Email

By Leave a Comment

HTTPS SSL Computer CubeA Digital Certificate for Secure Email enables you to digitally sign your email and authenticate that the message was actually sent from your email account.  Optionally, you can also encrypt the email message to secure it against unauthorized viewing.  (Encryption of email will be discussed in a future article.)

A Digital Certificate for Secure Email is issued by one of the well-known Certificate Authorities, the same group of companies that issue SSL (Secure Socket Layer) Certificates that encrypt web browser communications.  (The “lock” in your browser when connected over HTTPS:// )

A Class 1 Certificate requires only that you enter your First Name, Last Name, Email Address and a pass-phrase which secures the Certificate itself from unauthorized use or for revocation if the Certificate is compromised or lost.  The only Authentication performed is that the email address submitted is valid and that you have access to that email account to retrieve the Certificate.  It is important to note that the Certificate is ONLY validating the existence of the email address.  Anyone who has access to the specific email account can request a Certificate and can most likely use it to authenticate a message sent from that specific email account.  This is critical to understand if you share your email account with others.

For many non-business users, a Class 1 Certificate is adequate and available at no cost from a Comodo, a Certificate Authority Provider.  (There are a few other free providers but none as quick or as easy to use as Comodo.)   Most people have an email account that they do not share and that is properly secured with a strong password.  (Well at least they have an email account they do not share.  Not everyone follows good password creation guidelines.)  The point being that if you send an email message to jason@palmer.net  confidence is high that I am the only one sending and receiving mail from that account.  In fact, the entire point of using a Digital Certificate for Secure Email is that you as the recipient could immediately tell if the message was sent from the real jason@palmer.net email account (most likely me if a Class 1 Certificate and definitely me if a Class 2 Certificate) or if it was spoofed.  (There are other ways of determining a Spoofed email, specifically by reviewing the Full Headers of the Message and spotting inconsistencies in the email addresses and Servers.)

For added assurance, you may want to consider a Class 2 Certificate whereby you need to provide the Certificate Authority with proof of identity, such as a Government issued ID (Driver’s License, Passport, Passport Card, Birth Certificate, or similar).  A Class 2 Certificate validates both the email address and that you are its’ owner and a real person.  Email signed with a Class 2 Certificate is similar sending over a notarized document.  An independent third party has verified your identity so when you use the Certificate a certain level assurance can be assumed by the recipient that you are the actual, legitimate sender of the message.

Class 2 Digital Certificates for Secure Email come in two flavors:  “Personal”, that specifically identify you as an individual and “Business”, that specifically identify you and that you are a legitimate employee of a specific company.

You may be wondering, “Wow, this sounds great!  Why isn’t everyone using a Digital Certificate for Secure Email on every message?”  The answer would be because it is a little cumbersome to setup and use.  First both you and everyone you want to send and receive mail from need to obtain his or her own Digital Certificate for Secure Email.  Next, you need to configure your email client to work with the Digital Certificate for Secure Email.  This is relatively straightforward in Microsoft Outlook, Mozilla Thunderbird, or Lotus Notes.  Not quite as easy for Web Mail Users of Gmail, AOL, Hotmail, Yahoo, and similar services as it requires a plug-in or extension installed in the web browser. (A plug-in or extension is a specialized helper application that enables additional features and capabilities in your web browser.)

If the recipients’ email client is properly configured to understand a Digitally Signed email message, when you send a Digitally Signed Message, the recipient will see a notation on the email that the message was Digitally Signed.  However, if the recipients email client is not setup properly, the recipient will see an additional text attachment to your message that is meaningless and contains the Digital Signature Information.  This can become very annoying to your recipients as every message would you send them would have an attachment.

Securing your email all starts with either a Class 1 or Class 2 Digital Certificate for Secure Email.  At least visit Comodo below and start with a FREE Class 1 Digital Certificate for Secure Email, and then tell all of your friends to do the same.  A Class 1 Digital Certificate for Secure Email takes only minutes to request and install, they are valid for one year, and are available free of charge

Stay tuned and read my future articles on how to implement Secure Email Communication for transmission of sensitive and confidential information over the wild Internet through Email.

Important Technical Note:  Make sure that you use the same computer and web browser to request and access the retrieval of Digital Certificate for Secure Email.  You will also need to make sure that Java is enabled and that your web browser accepts Cookies to complete the process successfully.  The Certificate is actually being created and added to your web browser’s certificate store, and then you have to export it for your specific email client.  Microsoft Internet Explorer and Microsoft Outlook do not require this step as they both can access the same Certificate Store in Windows.  Firefox and the Thunderbird Email client or Lotus Notes might require some additional steps to configure properly.  Instructions are provided by both the Certificate Authority and your Email Client Vendor.

Digital Certificate for Secure Email Authority Vendors:

Free Class 1

Comodo – FREE AND RECOMMENDED CHOICE
http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Symantec TrustCenter – FREE (Not as fast or easy as Comodo.)
https://www.trustcenter.de/RetailStore/cid/CustomerData!input.action

StartSSL – Free but cumbersome to apply for and install
https://www.startssl.com/?app=1

CACert – Free and very cumbersome to apply for and install
https://www.cacert.org/

Paid Class 1 and 2 Personal and Business
NOTE:  There is no reason to pay for a Class 1 Certificate.  Use the Free options above.

Comodo – Business Class 2 Certificates – Value Priced Leader
http://www.enterprisessl.com/ssl-certificate-products/addsupport/secure-email-certificates.html

*Prices and Features vary widely with Vendors listed below – Read Carefully before purchasing.

GlobalSign – Personal and Business Class 1 and 2
https://www.globalsign.com/personalsign/comparison.html

IdenTrust – Personal and Business Class 2
http://www.identrust.com/certificates/trustid.html

Symantec TrustCenter – Personal Class 2
http://www.trustcenter.de/en/products/tc_personal_id.htm

Symantec TrustCenter – Business Class 2
http://www.trustcenter.de/en/products/tc_business_id.htm

Symantec/Verisign – Personal Class 1
http://www.symantec.com/verisign/digital-id