"Vadim Rapp" wrote in <news:#cNK0EnzIHA.3968@TK2MSFTNGP04.phx.gbl>:
> V> When you look at the attributes of your Thawte cert (run certmgr.msc),
> V> do you see anything more of you identified in the cert than just your
> V> e-mail address?
>
> It's issued in my real name. Without WOT, it would be issued to "email user"
> or something like that.
>
> Vadim Rapp
>
> Hello, VanguardLH!
> You wrote on Sat, 14 Jun 2008 02:07:45 -0500:
>
> V> "Vadim Rapp" wrote in <news:#6VsT4ZzIHA.4476@TK2MSFTNGP06.phx.gbl>:
>
> BKM>>> Because the application is filtering on the actualy application
> BKM>>> policy used to sign the email You use the secure email apploication,
> BKM>>> you did not use the certificate for authentication
> ??>>
> ??>> I see. I was thinking that the main purpose of singing an email with
> ??>> digital id is in ensuring that the email has indeed come from the
> ??>> individual who signed it, kinda digital notarizing. Thawte gives away
> ??>> free certificates issued to "thawte email user", which only ensure
> ??>> that email message is intact but they also have a procedure where you
> ??>> meet their notary, present your papers, and the notary then enables
> ??>> Thawte to issue you your personal certificate - already in your name,
> ??>> and having the purpose "proves your identity" - which is what I did.
> ??>> If this still can't be used in email communication, then what's the
> ??>> point, and where can it be used is not in email? how can such
> ??>> certificate be used for authentication?
> ??>>
> ??>> thanks,
> ??>> Vadim Rapp
>
> V> So are you saying that you went through their WOT (Web of Trust) notary
> V> scheme to get more information added to your Thawte e-mail cert? All
> V> you get with the initial free one is that it is tied to a particular
> V> e-mail address, not who owns (actually leases) that e-mail address.
>
> V> When you look at the attributes of your Thawte cert (run certmgr.msc),
> V> do you see anything more of you identified in the cert than just your
> V> e-mail address?
>
> With best regards, Vadim Rapp. E-mail: vr@nospam.myrealbox.com
According to
https://www.thawte.com/secure-email/web-of-trust-wot/index.html?click=main-nav-products-wot,
you need to visit enough WOT registrars to accumulate 50 trust points to
get your name added to the cert. Each notary can assign from 10 to 35
points to your trust rating depending on the notaries own trust rating,
so it takes 2, or more, notaries to authenticate your cert (although
their FAQ says 3, or more, notaries are required).
You say that your name is now in the cert. So now your e-mail address
and name are in your cert. This is the extent of proving who you are in
their cert. I have heard of no national or international registry to
which you are added which can trace back to sufficient personal details
to guarantee who you are in your cert used to digitally sign your
e-mails. The WOT registrar may require identification to prove who you
are to them but that information is not recorded in some publicly
available registry for proving your identity. Name and e-mail address
are it, but obviously that really doesn't identify you to anyone who has
never received e-mails from you before and done so repeatedly to
recognize that the content matches up with who you are.
Perhaps a subpoena issued to the WOT registrars to have them divulge
their records regarding what was used as proof of your identity (which
will NOT be in the cert) could be used in court to prove a digitally
signed e-mail came from you (or someone using your computer where the
cert was stored). It is doubtful that YOU can ever prove who signed an
e-mail without that subpoena to get those validation records released.
The e-mail cert binds your digital signature to an e-mail identity.
Adding your name is extra (and a bit superfluous if your name is already
in the username portion of your e-mail address) but does show you were
willing to prove to someone as to who you are (but which is not recorded
in the cert).
You can get free e-mail certs from both Thawte and Comodo. All they
really do is show that you really do own (actually lease) the e-mail
address that you say you own (lease) via a challenge sent to the
professed e-mail address that you own (lease). Getting your name added
is beyond that challenge, shows that some proof was presented to
someone, and gets your name added to your cert. Okay, so now you get an
e-mail from
JohnDoe@ISPdomain.com which has the John Doe name in it.
You've never received a John Doe and do not personally know anyone named
John Doe. So what do you know about this John Doe that sent you e-mail?
That they have control over the e-mail account that they used to get the
cert and managed to prove to someone that their name is John Doe for
whatever was used as such evidence to a registrar.
All certs assume trust from a 3rd party rather than trust between the
1st and 2nd parties. Each party assumes the 3rd party is trustworthy.
This 3rd party trust model can be thwarted. From what I've seen of the
paid personal certs, they don't add any more info to the cert. With
their cert, free or paid, you know (or assume):
- The e-mail address to register for the cert is under control of the
person claiming ownership of that e-mail address (but control is not the
same as legal ownership as e-mail accounts have been hacked).
- If the cert owner's name is added, you are trusting the 3rd party's
validation of that owner's identity. The name being added is the
notaries seal that they accepted proof of identity from the professed
owner of the e-mail account.
- That the CA (certificate authority) specified in the cert is who you
expect gets queried to validate the cert and that they can be trusted.
Presumably you are asking about Thawte's freemail certs used to validate
your identity when digitally signing an e-mail. Well, that' is why the
purpose of the cert says "protects e-mail messages". That is the only
purpose of that cert. You are not using a SSL site cert to "prove your
identity to a remote computer". Your computer was never connected to
their computer, so you could never prove it was your computer that
created the message. You sent your e-mail through someone else's mail
host. That's why you need the digital signature to tag along with the
e-mail. You aren't connecting to the recipient's host to prove it was
your computer that connected to them. You could go buy a site cert but
that won't help with digitally signing your e-mails that are delivered
by someone else's host to the recipient's mailbox.
The e-mail cert tries to show some level of proof of who sent the
e-mail, not of the computer used to compose it. In fact, you can
install your e-mail cert on multiple hosts and compose e-mail from each
and digitally sign it. You are attempting to prove you YOU are, not the
host you happened to use to write up the message.