When sending e-mail especially for official correspondence, I use a digital signature obtained using a free certificate from Thawte/Verisign. With that same certificate I am able to exchange encrypted email to persons that I've exchanged public keys.
I encourage all my customers to use encryption and signing when exchanging emails with me. I want to provide the following results:
- A reasonable effort to keep sensitive information such as network addressing and topology from falling into non authorized hands.
- The parties in the email are assured the email came from the sender and has not been modified in transit.
Other uses of encrypted/signed email could be:
- Financial Information between banks, bankers and customers.
- Tax Preparers and clients
- Data Security in case a web-based email account password is stolen.
When I sign an email and it's received at the destination, it's proven that the email I sent is from me and that the message has not been modified since I sent it. I always use signing when sending a message. Encryption is optional based on customer requirements.
The math and process is fairly complicated but the essentials are that the email client (Thunderbird, Outlook, Outlook Express etc) will take your original message, combine the text with a registered private 'key' and hash it all up and output the original message with a special signature. Encryption works much the same way.
When the person at the destination gets my email, they see that the message was signed. They can click on the properties of the signature and verify that the mail actually came from me and that the signature has not been altered.
Now we get into the whole National Security area. It is true that terrorists use encryption to hide plans sent through email. There are ways to encrypt email without going through a trusted third party provider like Verisign/Thawte. I am trying to balance the National Security aspect of email encryption with need to encrypt email to prevent unauthorized access by anyone on the street. Therefore, I recommend using a trusted third party verification system.
I have been using the free Thawte personal digital certificate for a while. I recently upgraded to the verified trusted certificate for $25. I wanted to put my name on the certificate. This required taking my passport and driver's license to a couple of bank managers who notarized the forms and paying $25 to Thawte to verify the documents.
After using the FREE certificate, if you want to upgrade to the certificate that you can place your name on, contact me. Because of the high level of verification that I went through, I am now authorized to be a Web of Trust notary. If you use me I am allowed to give you 35 points of the required 50 points. To see my status visit -
https://www.thawte.com/cgi/personal/wot/directory.exe?node=13016
If anyone is interested in the FREE personal email certificate - click on -
https://www.thawte.com/secure-email/personal-email-certificates/index.htmlImplement the digital signature in Outlook or Outlook express via this link -
http://www.ust.hk/itsc/pki/smail/oesigned.htmlFor more background -
http://en.wikipedia.org/wiki/Digital_signaturehttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211953,00.htmlhttp://www.youdzone.com/signature.html
