45

3.2.1 Personal Certificates

SMIME email relies on personal certificates as opposed to certificates granted to an organization, which VeriSign calls a Class 1 Digital ID. It is the easiest kind of certificate to obtain, and is available for a modest price, but it is limited to email security only. You can get a Class 1 Digital ID that works with Netscape Messenger, or you can get one intended to work with Microsoft Outlook express. If you use a different application to read and write your email, you should consult with that applications vendor to find out whether it interoperates with either of these certificate types. The first step in obtaining a personal certificate is to visit VeriSigns web site at http:www.verisign.com and follow the links from the main page to Secure E-Mail, which is listed under Home Home Office products, to the Digital ID enrollment form. We wont outline all of the links here, not only because theyre subject to change, but because theres a wealth of information on the site that is well worth reading, including information on how to make use of the certificate once it has been issued. Once you have filled out and submitted the enrollment form, VeriSign will send an automated email to the address you provided with instructions on how to pick up the certificate. The first set of questions on the enrollment form is self-explanatory. The first and last name that you enter will be how your Digital ID is listed in VeriSigns directory service. The email address that you enter should be the one that you will be using with the Digital ID. It becomes the certificates distinguished name. It is also listed alongside your first and last name in the directory. VeriSign will also use the address to verify its validity by sending an automated email to that address with instructions on how to retrieve the certificate that has been issued. Next, VeriSign will request a challenge phrase, which will be used to protect the certificate. The phrase will be available to you and VeriSign. You should not share it with anyone else VeriSign will use the phrase to verify that you are the owner of the certificate when you request that it be revoked, renewed, or replaced. Be sure to choose a phrase that youll be able to remember, but one that will not be easily guessed by someone that knows you well. VeriSign chooses a default key length for the certificate and issues it to you based upon the information from your browser. You shouldnt need to change the key length that is selected for you unless youre using something other than Netscape or Microsoft products to access your email, in which case the documentation for your email software or the vendor of the software should have advised you on the proper setting to choose. If youre using Microsoft Internet Explorer, your private key will be unprotected by default. That is, once you install it in your email software, you will not be required to enter any password or passphrase to gain access to it. If you opt to keep your private key unprotected in this manner, you must make every assurance that the private key for your certificate is not compromised. It is generally not a good idea to leave your private key unprotected, so VeriSign offers two methods of protecting it. One step up from the default of low security is medium security, which requires your approval each time the private key is accessed. With medium security, you still are not required to enter a password or passphrase to unlock the private key. High security requires you to enter a password or passphrase to unlock the key each time it is accessed. Remember that anybody gaining access to your private key will be able to use your certificate to masquerade as you. When an email is signed with your private key, people are going to trust it, and this can have disastrous effects if your key is compromised. Anyone with access to your private key will also be able to decrypt email that has been encrypted with your public key. Sure, your certificate can be revoked, but as we discussed earlier, revoking a certificate doesnt have any effect if its revocation status is not being checked. With this in mind, particularly for mobile users, we strongly recommend that you choose high security. 46 Finally, you must read and accept VeriSigns subscriber agreement and privacy policy. If youre using Microsoft Internet Explorer and you checked the checkbox for securing your certificate, a dialog will be presented to you to select the security level that you wish to apply to the certificate. Within an hour or so, you will receive an email from VeriSign at the address that you entered into the enrollment form containing instructions on how to pick up your certificate from VeriSign. Included in the email are a URL and a PIN, both of which will be required to get the certificate from VeriSign. You should use the same machine and browser to retrieve the certificate as you did to request it. Thats all there is to it Once youve retrieved your certificate from VeriSign, follow the directions presented on VeriSigns site to use the certificate in either Netscape or Microsoft Internet Explorer. Again, if youre using other software to access your email, follow the venders directions to enable the certificate. Now youre ready to start sending and receiving secure email

3.2.2 Code-Signing Certificates