none said:
I'd like to start encrypting emails (Outlook Express). Googled and found
an ID certificate is required and VeriSign will gladly produce one for
$19.95 a year.
Would like comments and input regarding encrypting, sources for
certificates etc; no experience with it although I recall hearing many
years ago of a PGP (?) method.
Well, start with a background article, and see what you think.
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
*******
http://en.wikipedia.org/wiki/Enigmail
http://en.wikipedia.org/wiki/Mozilla_Thunderbird#Security
http://www.enigmail.net/documentation/quickstart-ch2.php
"Publishing your key
By far, the easiest way to share your key with the world
is to publish it on the public keyserver network, a global
database of keys (please note that once a key was uploaded
to a keyserver, there is no way to delete it from there!).
In order to publish your key, click on your key in the Key
Manager. Then click "Keyserver" and select "Upload public keys".
"
Putting your public key on a public keyserver, is how other people
acquire the key necessary to send messages addressed only to you, where
the message can only be opened with your half of the key (the "private"
part you keep protected at home). This solves the problem of
"sending a secret" to your friend. The public key, by itself, is
useless. And you hold onto the private key, that finishes the job
on reception of an encrypted message. They use your public key, to
encrypt their mail to you.
From the first article:
"Web of trust
Simply downloading a public key from somewhere is not overwhelming
assurance of that association; deliberate (or accidental)
impersonation is possible."
So if the key on the server, was put there by the FBI, you could send
a message to person "X", and the FBI could use their private key to
read it. If they allowed the message to be forwarded to you, your
private key would not open it (because the bogus public key on the
server, isn't actually paired with your private key). But, I suppose
they could forward the plaintext they decoded, and apply your real
public key to it.
"PGP's original scheme, at least, leaves the decision whether or
not to use its endorsement/vetting system to the user, while most
other PKI schemes do not, requiring instead that every certificate
attested to by a central certificate authority be accepted as correct."
Would that be your $19.95 Verisign certificate ?
In any case, you should never have to send more than your public key
to a third party. Whether to have a certificate made or whatever. The
private key, stays with you. It should never be required, to submit
both the public and private parts, to a third party.
Looking at this info, it suggest making a key for yourself, isn't
a problem. But distributing it, in such a way as a third party can
trust the key belongs to you, is the hard part. They could encrypt
with what they think is your public key, only to have the content
decrypted by an "interested and capable" third party. If you could
give the key, by hand, to the recipient, then there would not be
a distribution problem. Not even snail mail would be safe, if
for example, all the snail mail was being intercepted. (For the
short period I worked at a postal sorting station as a student
summer job, two street addresses were on the intercept list. So
it does happen. There were the usual jokes about how "bad ass"
the person at that address might be. But none of my fellow
employees expressed an interest in informing the addressee they
were under surveillance. And the person most likely to snag
the items in question, would be the postal carrier about to
do his/her walk.)
If "nobody is really interested in you", and you're worried about
plaintext messages all being stored here, then a simple public
key, thrown on a keyserver, should be plenty. If "somebody is
interested in you", that's when more thought has to go into
key distribution (certificates, hand delivered etc).
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/
HTH,
Paul