Digital Identification Certificates White Paper | Certificate Authority (CA) reviews

The "No Network is 100% Secure" series
- Digital ID Certificates -
A White Paper

What are digital identification certificates?: The simple definition is that digital ID certificates are a form of electronic verification. Certificates are commonly added to web sites that offer secure transactions to prove that the site you are visiting really is who they say they are. You can also add digital ID certificates to many e-mail clients to prove that mail coming from your e-mail address really did come from you. Certificates can have levels of trust including "untrusted" and "trusted". There is always some degree of verification required before a Certificate Authority (CA) will issue a certificate. Therefore, in most cases, even "untrusted" certificates denote at least a minimal level of trustworthiness, especially compared to communications where no certificate is present.

E-mail sender address spoofing and DNS poisoning, covered in other white papers in this series, have become such a problem that's it's only a matter of time before digital ID certificates become a mandatory component of any Internet communication.

Certificates can also be used as part of various data encryption schemes such as TLS, SSL and "Pretty Good Privacy" (PGP).

What is a Certificate Authority?: a certificate authority (CA) is an entity that issues digital certificates for use by other parties. These certificates can be used in SSL (Secure Socket Layer) connections such as HTTPS or as a means of identification in insecure communications such as SMTP e-mail.

What is an SSL certificate?: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both ends of the transactions. This is a brief explanation of how it works:

- A browser requests a secure page (usually port 443 https.
- The web server sends its public key with its certificate.
- The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
- The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
- The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
- The web server sends back the requested html document and http data encrypted with the symmetric key.
- The browser decrypts the http data and html document using the symmetric key and displays the information.

A very similar sequence is used for TLS/SSL connections to IMAP, POP and SMTP e-mail servers. Please have a look at the cryptography white paper for more information about this process.

E-mail digital ID certificates: The cool thing about using digital certificates on modern E-mail clients such as Thunderbird, is that e-mail can be encrypted end-to-end provided that the receiving party has a certificate and provided that the sender has access to the recipient's public key. The logic off this may seem a little backwards to you but trust me. It does work.

To get access to the intended recipients' public key, they simply need to send you an e-mail from an e-mail client that has a certificate installed for their e-mail address. If you look at your list of certificates for "other people", you should see them listed. If it's there, you can send encrypted e-mail to anyone you have a listed certificate for. The step by step procedure on how to do this for all of the e-mail clients that are out there is beyond the scope of this white paper. In any case, so long as the intended recipient receives your e-mail from a client that has the same certificate installed (the installed certificate must match the public key you are sending it to), they will be able to read your message with no problems. The e-mail will be safely encrypted for it's entire journey but will magically be displayed in clear text when the recipient tries to look at it. Feel free to test this! It's simple! And note that if the recipient tries to read your e-mail from a client that has no certificate (or a different certificate), the e-mail client will display an encrypted, impossible to read message. Pretty slick!!!

The above comment requires a bit of amplification. If you retrieve your e-mail from several different computers, say at home and at work, a certain amount of certificate management is going to be required. You are going to need to export your certificate to a safe location and then import it into each mail client you use. Otherwise you will have different key sets for the same e-mail address. In this scenario, being able to read your e-mails will be problematic since they will only be viewable on the computer that has a certificate that matches the public key that was used to send it. And of course if you have mail clients that do not have certificates installed, you will not be able to view encrypted e-mail on those machines. Another consideration is that digital certificates have expiration dates and need to be renewed. Mail sent using a public key for a certificate that has expired is still readable (I think) but you will have to deal with expired certificate complaints and who needs that? So clearly... while the use of digital ID certificates offer a lot of advantages, some thought does need to go into how you plan to implement and manage them.

The certificate expiration problem can be mitigated by using something like PGP since those keys can be set to never expire. However, PGP is somewhat more difficult to set up and use. And you will still need to export/import the same key set onto all of the computers you have e-mail clients on. In addition, you will only be able to exchange encrypted e-mails with those who are also running PGP rather than anyone who has pretty much any root CA issued certificate installed. While PGP is arguably an aged 1980's architecture, it nevertheless still performs quite well even considering it's limitations. Plus, it's 100% free!

A final comment, since you want your e-mails to be completely secure, is to send them via TLS or SSL, not SMTP.

Certificate Authorities (CA): The following are entities that issue digital ID certificates. If you would like a CA added to this list, please contact me and I will look into it.

Verisign: Verisign is more or less the "gold standard" when it comes to CAs. Pretty much all commercial web sites that use certificates have Verisign certs installed. Individuals can also purchase browser and e-mail identification certs from Verisign for a modest fee. Verisign currently (2009) offers annual certs for individuals for $20. The authentication process is involved enough to assure that the cert is trustworthy but is not obnoxiously so.

Comodo: Comodo offers free annual digital certificates to individuals. I was not able to get them working on the latest version of Thunderbird (2.0.0.23) on my test computer the first time around. But perseverance won out and the certs seem to work just fine using a different e-mail domain's account. Comodo's support is very good and very responsive. While Comodo certificates are helpful signing and encrypting e-mail traffic, they are issued as untrusted making them unfit for identity certification. Nevertheless, Comodo free e-mail certificates are just fine for ordinary privacy and identity verification purposes.

8/18/10 update: Installed a few Comodo certs to replace some that were about to expire. Went right in with no problems so it looks like they have resolved their issues with Thunderbird. The cert no longer has an "untrusted" statement although like most e-mail certs it states that the e-mail address is "unverified".

CAcert: From my investigations, this seems to be an operation that is run strictly by volunteers on a shoestring budget. Nothing wrong with that, of course, but it's something to consider if this is the route you are thinking about taking. I tried to create an account with CAcert but their server was unable to connect to my SMTP server. Tried a couple of other e-mail address domains with no success. These guys are probably too bush league at this point to get involved with although their volunteer support people were very responsive in getting back to me quickly about problem issues. NOTE: Further testing indicates that CAcerts' failure to make connection with my mail servers was due to a misconfiguration on the cacert.org mail server testing script. CAcert support said: The current way of mail delivery will not be changed, it is planned to deliver messages by standard MTA somewhen in the future. But do not expect that to happen too soon.

Perhaps in a year or two CAcert will be ready to "play the Palace". In the meatime, look elsewhere unless you are an "early adopter". 091409 - Their support is great but their delivery methodology is pretty shaky.

Ascertia: Ascertia offers a 30-day free trial certificate that costs 7 Euros per year thereafter. Because the certificate is not free and because Ascertia seems to be an "also ran" CA, they were not evaluated. If you have any first hand experiences with this outfit, please pass them along.

Aloaha: Currently being evaluated. The process to create, fetch and install the free, one year certificate was very easy, although the fetch portion was on a German-language-only web page. However, once installed, Thunderbird complained about the certificate and could not sign outgoing e-mail. So far, Aloaha support has been unresponsive in my efforts to get their certificate to work.

Thawte: Thawte also offers free digital certificates although they do not have the most user-friendly process. Thawte's untrusted certificates were somewhat easy (but not real easy) to create, fetch and install. However, for trusted digital IDs, Thawte is a whole different experience. Thawte uses a group of "community" Notaries to "certify" peoples' identities. This has spawned quite the cottage industry of people looking to generate a little extra tax-free cash or at the very least a few free beers for their notorizing efforts. So while Thawte certificates for individuals are technically "free", in reality they could turn out to be somewhat pricey by the time you are through. In addition, my experience with these "Notaries" has not been the greatest. Many suffer from what we used to call in the Military, a "Corporal with a clipboard" syndrome. Their attitudes ranged from rude to downright mean in some cases. Not one of these "Notaries" provide this "service" for purely altruistic motives. The Thawte certification process was so painful that I just gave up trying to have my identity "certified" by Thawte. Unless you enjoy jumping through lots of unnecessary hoops and dealing with unredeemably vile people, Thawte is an experience best avoided.

10/14/09 Update: Mercifully, Thawte has decided to discontinue their personal e-mail certificate program.

Other CA evaluations and reviews: If you have suggestions for other Certificate Authorities that you'd like to see reviewed here, pass along your suggestions and we'll look into it!

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
IT employment challenges of the 21st century
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
High value sites recent hacks
Still more 2009 hacks in the news
Firewall White Paper
Password White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting