UPDATED: Getting even more serious about email security!
A couple months ago, I wrote
here about email security and how I'd become a
"notary" for the free email certificate service
provided by Thawte. Well, that's
unchanged, but thanks to a colleague who alerted
me to another free certificate service provided
by CAcert (also see their
Wikipedia page
here), I
was able to become recognized as a CAcert
identity assurer using my Thawte credentials.
More of the same, you say? Well, only to some extent. CAcert differs from Thawte in many ways. For one thing, they're a completely free and open certificate provider, which I have to salute. Using their service, I can also generate server keys, which is handy. (That's right, completely free SSL certificates for my web sites!) Additionally, they will sign existing PGP/GPG keys for their users, which is a nice addition to my GPG key signatures.
Is there a downside? Well, not much, but if one is to be found, it's that CAcert's root certificates aren't yet in everyone's browser and email certificate repositories, as shipped by their operating system or browser vendors. That's changing, but for now, CAcert users will from time to time find people who cannot verify their identities. That's disappointing, but as I said, it's changing.
Why bother? Well, if email security is important to you, the answer should be self-evident. If it's not, consider the SSL certificate argument. When you connect to (say) your bank, your browser uses SSL to encrypt your session with the bank, in all likelihood. Your browser is also validating their authenticity by looking at the bank's X.509 server certificate and ensuring that you are indeed talking to your bank, and not some rogue site run by some phishing miscreants aimed at stealing your money. With an email certificate, you can provide that same time of identity assurance to people you send emails to. It also enables sharing of encrypted emails if both parties have a certificate, but just the identity validation alone is worth the price of admission, in my opinion.
Oh, and that "price of admission," in the cases of Thawte or CAcert, is US$0. They are free services.
The question you should be asking is why NOT bother? Seriously. Some people find signed email and "dealing with certificates" to be difficult, confusing, not worth it, etc. You may be one of those people. It's my opinion that those attitudes are not well founded with the reality of how bad the state of email security is these days. Imagine if all your friends and colleagues used validated email identities, and you were able to tell your emailer to delete all non-signed emails. Voilá, no more spam. That's something that we security folk refer to as "white listing".
Enough blather for now. I urge anyone and everyone who reads this to go out and get a free certificate from Thawte and/or CAcert. Then spend the time to get your identity validated by a couple Thawte "notaries" and/or CAcert assurers. It's well worth the effort.
Cheers,
Ken
More of the same, you say? Well, only to some extent. CAcert differs from Thawte in many ways. For one thing, they're a completely free and open certificate provider, which I have to salute. Using their service, I can also generate server keys, which is handy. (That's right, completely free SSL certificates for my web sites!) Additionally, they will sign existing PGP/GPG keys for their users, which is a nice addition to my GPG key signatures.
Is there a downside? Well, not much, but if one is to be found, it's that CAcert's root certificates aren't yet in everyone's browser and email certificate repositories, as shipped by their operating system or browser vendors. That's changing, but for now, CAcert users will from time to time find people who cannot verify their identities. That's disappointing, but as I said, it's changing.
Why bother? Well, if email security is important to you, the answer should be self-evident. If it's not, consider the SSL certificate argument. When you connect to (say) your bank, your browser uses SSL to encrypt your session with the bank, in all likelihood. Your browser is also validating their authenticity by looking at the bank's X.509 server certificate and ensuring that you are indeed talking to your bank, and not some rogue site run by some phishing miscreants aimed at stealing your money. With an email certificate, you can provide that same time of identity assurance to people you send emails to. It also enables sharing of encrypted emails if both parties have a certificate, but just the identity validation alone is worth the price of admission, in my opinion.
Oh, and that "price of admission," in the cases of Thawte or CAcert, is US$0. They are free services.
The question you should be asking is why NOT bother? Seriously. Some people find signed email and "dealing with certificates" to be difficult, confusing, not worth it, etc. You may be one of those people. It's my opinion that those attitudes are not well founded with the reality of how bad the state of email security is these days. Imagine if all your friends and colleagues used validated email identities, and you were able to tell your emailer to delete all non-signed emails. Voilá, no more spam. That's something that we security folk refer to as "white listing".
Enough blather for now. I urge anyone and everyone who reads this to go out and get a free certificate from Thawte and/or CAcert. Then spend the time to get your identity validated by a couple Thawte "notaries" and/or CAcert assurers. It's well worth the effort.
Cheers,
Ken
|