Digital+Signatures+++Certificate

Digital Signatures/Certificate

In order to Receive encrypted e‐mail, or Send digitally signed email, you must have a Digital certificate.

If you get a digital certificate for your email, you cannot send your friend encrypted email, but they can send you encrypted email.

This is exactly backward from how any sane human expects it to work.

Luckily, certificates are free.

If you persuade your friend to get a certificate all the confusion is solved.

You can send digitally signed email to one another

Why is it in reverse?

Itʹs not really, it works just the way some insane mathematician designed it.

I will endeavor to explain it.

There is this really cool thing ( Using present day language ) called a public key cryptography.

The long‐standing problem with secret messages was always getting the secret password (key) to the other end without it being discovered.

The way this problem was solved, was by some disturbingly simple‐looking maths that brought the secret key into a public, encoding part and a private, decoding part.

You could give the public, encoding part to all your friends and enemies, and anytime someone wanted to send you a secret message, they use that public key that everyone knows to encrypt it.

Now for the clever bit, only your secret, private key (that you never shared with anyone at all) will allow the message to be decrypted and read.

Thus, a digital certificate allows you to get, but not send, encrypted email.

This neatly solves the ʺGet the secret password to the other endʺ problem because it no longer has to be secret.

Secure two‐way communication is achieved by both ends having certificates and giving everyone their public key.

Now anyone anywhere can send a secret message to either of these two people.

The two people have that same ability, and of course, can now send secret messages to each other; they just use each otherʹs public key.

Let us look at digital signatures then:‐

Remember you used the public key to encrypt secret messages, and use the private key to decrypt and read them.

You can also encrypt a message with your private key and anyone with your public key can decrypt it.

Now because only a message that you made, would have been encrypted with your private key, anyone who can decrypt it with your public key knows that you must have really been the sender.

Just to make sure someone that receives a digitally signed message can read it, your public key is sent along to keep it company.

How do you know that the public key that came with the message is really related to the true sender and not just made up?

Comodo the supplier of certificates includes their own signature in your certificate to back up your claim.

This is why you get a digital certificate from a recognized certificate authority instead of just creating your own.

Now you only need a digital certificate to receive encrypted email.

While technically true, that is not an ideal combination.

Here is the problem:

When someone sends you an encrypted message, you donʹt have any way of verifying that the sender is really who they say they are.

If the sender also has a digital certificate, you now know that the correct person has sent the message.

Microsoft decided it was entirely too complicated to explain such things to normal humans and elected to only allow you to send encrypted email if both ends have a certificate.

In the Outlook family of products, both ends must have a digital certificate.

You can still send digitally signed messages with just your own certificate.

How do you give someone your public key so that you can receive encrypted email?

Send them a signed email first and their computer will remember the public key and be able to send you encrypted email afterward.

Do you want me to run through that again ?

It took me some time to think of how to describe it