Who do you trust?

The following is the third post in a series entitled, “Securing your Email.” If you’re just tuning in and you’re not very familiar with words like “digital signature” and “public-key cryptography,” you may want to take a few minutes to read the first two posts in this series.

After reading my earlier posts, hopefully you’ve gotten a better understanding of what digital signatures and encrypted emails are and why they can be necessary. Before getting into the technical details of how to obtain or create an encryption key, you should gain a better understanding of how keys are authenticated. After all, this entire process is about learning to trust a system more than a plain old email. So why should you trust an email with a digital signature more than a normal email? How do you know whether that digital signature is even valid? Your recipients need a way to verify that your digital signature actually belongs to you. There are two competing theories (or “schemes”) about how this should be done, each with advantages and disadvantages. Both involve “verifying” that the identity of someone’s key matches their true identity in real life. A key is considered “verified” when a person or company signs the key. By signing a key, the signer is asserting two things: the person is who they say they are and their identity matches their key.

In the public key infrastructure (PKI) scheme, a certificate authority is responsible for this verification. You’ve probably heard of Verisign, the most popular certificate authority. Certificate authorities are companies who take responsibility for verifying that your key matches your identity (as determined by a driver’s license or passport) in exchange for a fee. For example, an individual “Digital ID” from Verisign costs $20/year. Thus, for a fairly nominal fee you get a verified encryption key that can be used to digitally sign or even encrypt emails. In order to do this, you’ll need to use a desktop email client, such as Microsoft Outlook Express or Mozilla Thunderbird, or you’ll need to use a browser-based plug-in for web email, such as the GMail S/MIME extension for Firefox. It’s important to realize that your recipients also need to use one of these applications to be able to check your digital signature or decrypt your email messages.

While the PKI scheme costs an annual fee, nearly all of the work and upkeep is done by the certificate authority. The user simply has to purchase the key and start using it. Cost aside, however, many people in the computer industry do not trust keys that are signed by certificate authorities simply because the companies can be easily subverted. In other words, they do not trust that the certificate authorities are doing their jobs thoroughly. People claim that for your $20, you can get a certificate identifying you as basically whomever you want. If true, this destroys the integrity of the entire system. Once they have your $20, does the company have a significant interest in whether you actually are who you say you are? You also have to wonder how much you can trust a lesser known certificate authority. For example, if you got a message from Joe, whose key was verified by Jimbo’s Certificates, would you be more likely to trust Joe’s signature? Less likely? Also, what happens if a certificate authority goes bankrupt?

As an alternative to PKI, the web-of-trust (WOT) scheme is used. Instead of a central company (or set of companies) in charge of certifying people’s identities, groups of users validate each other’s identity. You first need to create an encryption key on your computer, which I will cover in my next post. Your key will have a “digital ID number.” You then need to meet in person and exchange “digital ID numbers” with your friends and colleagues. Once you’re back at a computer, if you’re satisfied with someone’s identity you can use this number to locate their key on the web and sign it. You’re essentially saying, “I met this person, and I can confirm their identity and that this is their true key.”

Using this scheme reduces cost (it’s free), and thus eliminates the bias of companies that are more concerned with profit than actual validity. Plus, multiple validations for a given key should greatly increase your ability to trust it. If 15 of your close friends have verified Joe’s key, would you be more likely to trust Joe’s signature or less likely? A disadvantage of the WOT scheme is that without a backing company, it is usually a lot more work for the individuals. You can’t just pay someone $20/year to take care of it for you. It also usually involves meeting face-to-face with people in order to verify their identity or have them verify yours, which can be difficult for some people depending on where they live. Fortunately, with the advent of free software tools like key servers, it is really easy to assess the trust level of a person’s key.

As with PKI, you need software tools to be able to digitally sign or encrypt an email. You’ll also need this software to be able to verify someone’s signature and decrypt an email. Some examples of these tools are the Enigmail plug-in for Mozilla Thunderbird or the FireGPG Firefox extension for GMail. I will go through how to use these two applications in more detail in my next post.

Now that you’ve got a good background on how key validation works, you’re ready to get started with your own key. If you’d like to purchase a key from a certificate authority, go for it. Unfortunately, I can’t describe how to use it in detail since I’ve never purchased one, but some of the information I’ll provide may still be helpful. In my next post in this series, I’ll show you how to use free software to create your own encryption key right on your computer for free. I’ll also discuss how to use it and how to get started in the web-of-trust.

Leave a Reply

Your email address will not be published. Required fields are marked *