|
VeriSign Digital Certificates for Secure Email allow you to digitally sign and encrypt your digital communications using a Class 1 Digital ID,
bound to your validated email address. Recipients of your email will know that the content came from your email address and has remained private during transmission.
Digital IDs are the electronic counterparts to driver licenses, passports, and membership cards. You can present a
Digital ID electronically to prove your identity or your right to access information or services online.
Digital IDs, bind an identity to a pair of electronic keys that can be used to
encrypt and sign digital information. A Digital ID makes it possible to verify someone's claim that they have the
right to use a given key, helping to prevent people from using phony keys to impersonate other users. Used in conjunction with
encryption, Digital IDs provide a more complete security solution, assuring the identity of all parties involved in a transaction.
A Digital ID is issued by a Certification Authority (CA) and signed with the CA's private key.
Users of RSA technology typically attach their unique Public Key to an outgoing document, so the recipient need not look up that
Public Key in a public key repository. But how can the recipient be assured that this Public Key, or even one in a public directory, really
belongs to the person which it indicates? Could not an intruder masquerade in the computer network as a legitimate user, literally sitting
back and watching as others unwittingly send sensitive and secret documents to a false account created by the intruder?
The solution is the Digital ID -- a kind of digital "passport" or "credential." The Digital ID is the user's Public Key that has itself
been "digitally signed" by someone trusted to do so, such as a network security director, MIS help desk, or a Certification Authority.
Every time someone sends a message, they attach their Digital ID. The recipient of the message first uses the digital certificate to
verify that the author's Public Key is authentic, then uses that Public Key to verify the message itself. This way, only one Public Key,
that of the certifying authority, has to be centrally stored or widely publicized, since then everyone else can simply transmit their
Public Key and valid Digital ID with their messages. Using Digital IDs, an authentication chain can be established that corresponds
to an organizational hierarchy, allowing for convenient Public Key registration and certification in a distributed environment.
The most widely accepted format for Digital IDs is defined by the CCITT X.509 international standard; thus certificates
can be read or written by any application complying with X.509. Further refinements are found in the PKCS standards and the PEM standard.
A Digital ID typically contains the:
- Owner's public key
- Owner's name
- Expiration date of the public key
- Name of the issuer (the CA that issued the Digital ID)
- Serial number of the Digital ID
- Digital signature of the issuer
Virtual malls, electronic banking, and other electronic services are becoming more commonplace, offering the convenience and
flexibility of round-the-clock service direct from your home. However, your concerns about privacy and security might be
preventing you from taking advantage of this new medium for your personal business. Encryption alone is not enough, as it
provides no proof of the identity of the sender of the encrypted information. Without special safeguards, you risk being
impersonated online. Digital IDs address this problem, providing an electronic means of verifying someone's identity.
Used in conjunction with encryption, Digital IDs provide a more complete security solution, assuring the identity
of all parties involved in a transaction.
Your Digital ID will detect "tampering" when any data has been added to your mail, and sometimes this occurs in the normal
process of Internet routing. If the e-mail was encrypted with your Digital ID, there is no way that a third party could read your message.
If it was digitally signed, you may want to communicate with the person who sent you the message and confirm its contents.
Authentication allows the receiver of a digital message to be confident of both the identity of the sender and the integrity of the message.
 Digital IDs use public key encryption techniques that use two related keys, a public key and
a private key. In public key encryption, the public key is made available to anyone who wants to correspond with the owner of
the key pair. The public key can be used to verify a message signed with the private key or encrypt messages that can only be
decrypted using the private key. The security of messages encrypted this way relies on the security of the private key,
which must be protected against unauthorized use.
A Digital ID is signed by the Certification Authority that issued the Digital ID. Multiple digital
certificates can be attached to a message or transaction, forming a certification chain where each Digital ID
testifies to the authenticity of the previous Digital ID. The top-level certification authority must be independently known and trusted by the recipient.
When you receive digitally signed messages, you can verify the signer's Digital ID to determine that no forgery or false representation has occurred.
When you send messages, you can sign the messages and enclose your Digital ID to assure the recipient of the message
that the message was actually sent by you. Multiple Digital IDs can be enclosed with a message, forming a hierarchical
chain, wherein one Digital ID testifies to the authenticity of the previous Digital ID. At the end of a
Digital ID hierarchy is a top-level Certification Authority, which is trusted without a Digital ID from
any other Certification Authority. The public key of the top-level Certification Authority must be independently known, for
example by being widely published. The more familiar you are to the recipient of the message, the less need there is to enclose Digital ID.
You can also use a Digital ID to identify yourself to secure servers such as membership-based web servers. This is called authentication.
Generally, once you've obtained a Digital ID, you can set up your security-enhanced web or e-mail application to use
the Digital ID automatically.
Suppose Alice wants to send a signed message to Bob. She creates a message digest by using a hash function on the message.
The message digest serves as a "digital fingerprint" of the message; if any part of the message is modified, the hash function returns a different result.
Alice then encrypts the message digest with her private key. This encrypted message digest is the digital signature for the message.
Alice sends both the message and the digital signature to Bob. When Bob receives them, he decrypts the signature using Alice's public key,
thus revealing the message digest. To verify the message, he then hashes the message with the same hash function Alice used and compares
the result to the message digest he received from Alice. If they are exactly equal, Bob can be confident that the message did indeed come from
Alice and has not changed since she signed it. If the message digests are not equal, the message either originated elsewhere or was altered after it was signed.
Note that using a digital signature does not encrypt the message itself. If Alice wants to ensure the privacy of the message, she must also
encrypt it using Bob's public key. Then only Bob can read the message by decrypting it with his private key.
Digital IDs have a wide variety of uses ranging from interoffice electronic mail to global Electronic Funds Transfer (EFT). In order to use
Digital IDs there must be a high degree of trust associated with the binding of a Digital ID to the user or organization linked with the Digital ID.
This trust is achieved by building hierarchies of Digital IDs, with all members of this hierarchy adhering to the same set of policies. Digital IDs
will only be issued to people or entities, as potential members of a hierarchy, once proof of identity has been established. Different hierarchies
may have different policies as to how identity is established and Digital IDs are issued.
Digital IDs are supported by Netscape Navigator 3.0 and higher (on Win 95, NT, Sun Solaris 2.5x, 2.6, SGI Irix 6.x
and HP-UX 10.20) and by Microsoft Internet Explorer 3.02 with authenticode 2.0 update and higher (on Win95 and Win NT 3.5.x or
later on x86 platform.)
For signing and encrypting e-mail, Digital IDs are supported by Netscape Messenger and Microsoft Outlook, Outlook
Express and by any other S/MIME (Secure Multipurpose Internet Mail Extensions) enabled e-mail application such as Deming,
Frontier, Pre-mail, Opensoft, Connectsoft, and Eudora.
The latest Web browser packages (specifically Netscape Communicator and Microsoft Internet Explorer), have e-mail applications
included (Netscape Messenger and Microsoft Outlook Express), so Digital IDs obtained through these packages can be
used for both e-mail and the Web. If you are using an e-mail application other than Netscape Messenger or Microsoft Outlook
Express, you should obtain your Digital ID through the e-mail vendor.
Your private key is protected in two ways:
- It is stored on your computer's hard drive so you can control access to it.
- When you generate your private key, the software you use (such as your browser) will probably ask you for a password.
This password protects access to your private key. For Microsoft Explorer users, your private key is protected by your Windows password.
A third party can access your private key only by (i) having access to the file your key is stored in (which is usually part of your system's
configuration information) and (ii) knowing your private password. Some software permits you to choose to not have a password protect your private key.
If you use this option, then you are trusting that no one, presently or in the future, will have unauthorized access to your computer.
In general, it is far easier to use a password then to completely safeguard your computer physically. Not using a password is like pre-signing all
of the checks in your checkbook and then leaving it open on your desk.
Protect your computer from unauthorized access by keeping it physically secure. Use access control products or operating system protection
features (such as a system password). Take measures to protect your computer from viruses, because a virus may be able to attack a private key.
Always chose to protect your private key with a good password. See http://csrc.nist.gov/nistbul/csl96-08.txt concerning private key security
and http://csrc.nist.gov/nistbul/csl90-08.txt concerning computer virus attacks.
Your Digital ID cannot be used without your private key, which is never transmitted to us. To maintain security, your private key should be
protected by a password and never sent across any network. You want your Digital ID (which contains your public key) to be available to
other users so that they can verify your right to use the digital certificate, decrypt messages that you have encrypted with your private key,
and verify your digital signatures.
There are also two types of hardware devices available that are more secure than your hard drive for storing your private key.
These are known as tokens (typically PCMCIA cards or special floppy disks) and smartcards. Contact you software vendor to see if it supports these devices.
Your Digital ID is protected with either your Netscape password (required to use the Digital ID with Netscape) or your Windows password
(required to log on to Microsoft Windows). It is therefore very unlikely that the thief will be able to use your Digital ID to impersonate you or read
your private messages. If you have a back-up copy of your Digital ID saved on a floppy disk, you can install it on a different computer.
Refer to Backing Up and Transporting Your Digital ID. Since the security of your Digital ID has been compromised, you should revoke it and enroll for a new Digital ID
IT IS YOUR RESPONSIBILITY TO PROTECT YOUR PRIVATE KEY. ANYONE WHO OBTAINS YOUR PRIVATE KEY CAN FORGE
YOUR DIGITAL SIGNATUREAND TAKE ACTIONS IN YOUR NAME! .
In order to guard against a brute-force attack, every key must have an expiration date after which it is no longer valid.
The expiration date is stored in the public key of a Digital ID. Every Web browser or e-mail application checks the validity of a Digital ID by making
sure the date you receive the Digital ID (and the information it is protecting) is within the valid dates. This means that when your own key expires,
everything you signed with it will no longer be valid. After expiration, the you need to renew your Digital ID using the Digital ID Center.
It is not possible to go through the renewal process and simply have your existing, installed Digital ID's validity period extended.
A new Digital ID is delivered and needs to be installed.
For secure email users, this also means the new public key for your new Digital ID will need to be distributed to any appropriate recipients.
If the Challenge Phrase is lost, renewal of the ID will not be possible. For security purposes, VeriSign does not have access to the challenge phrase.
If the challenge phrase is not available, a new enrollment will be necessary.
When enrolling for the new digital ID, make a change to the name field, so the new ID will not be a duplicate of the original.
Changes can be anything, including capitalizing a letter or adding a middle initial.
You should not delete your expired Digital ID(s) as this will prevent you from accessing any mail that was used with the ID.
| 
Домой | 
Заказ |
+A |
R |
-A |
|--|
|<-->|
