X.509 Revisited

02/07/2004 16:09:17
tags: security

I was playing around last night with X.509 security and took another look at Thawte’s free email certificates. My original issue with them was that I am primarily interested in confirming that the email I send/receive is in fact read by and/or sent from the individual who owns that address. I DON’T care what there real name is, as registered with their government, etc. I am perfectly content to correspond with someone known to me only as “johndoe564”, for example.

Thawte issues X.509 certificates for personal email use for free, but requires that you submit some sort of “official” identification number, such as a Driver’s License or Social Security #. This rubs me the wrong way. I don’t doubt Thawte’s sincerity as an organization, nor do I believe that this a big scam to gather personal information. But they don’t need any official information from me. Their only requirement is that they can verify that I, in fact, own and have access to the email address I use to register.

So I signed up, using a very old library card number that I had sitting around. :)

I had previously posted some details on how I was able to issue my own certificates, and that this would work with both Mozilla and Mail.app clients. However, only the technically literate could send me encrypted email ( which is fine - I don’t really use it that often.) The bigger problem is all these computer illiterate people using Windoze email clients (usually) who were confused by the email messages and assumed I was doing something wrong and kept harassing me about it. Switching to a Thawte certificate will eliminate some of this noise, and generally make things easier. Since I didn’t have to give them “secret” information about myself, I am happy.

One word of advice for Mac Users considering this, however. The newest version of Safari can import the certificate from Thawte (versions 1.1 and older could not). However, I still recommend that you use Mozilla. The reason is that I have been unable to find a way to export the certificate information from Keychain Access once you import it. So if you use Safari to download your certificate, it will be difficult/impossible to use the same certificate with Mozilla, effectively locking you into using Mail.app as your client.

However, if you use Mozilla to import the certificate, you can then use the backup option to create a backup copy of your certificate that can then be imported into Keychain Access. This allows you to use your cert with any mail client.

One snag is that the certificate actually contains your cert, and 2 cert’s for Thawte. Because you likely already have the cert’s for Thawte in your keychain, you must delete them first, or Keychain Access will refuse to import your private/public keys, claiming that they have already been imported…

Also, a benefit that I discovered with using Mail.app is that you can encrypt email to a person, NOT an address. I have several email address, all of which are in my address book entry on myself. When I created my first certificate with Thawte, I used my primary address. I then tried sending an email to myself, using one of my alternate addresses. To my surprise, the email was encrypted, using the key tied to my primary address. Mozilla cannot (as of version 1.6 anyway) do this. You must have the exact address in the certificate in order for it to be used.

Anyways, I will continue to try this out, but I imagine I will stick with this for now.

Similar Pages