Recommendations For Personal Digital Certificates?

Keith M Ellis asks: "I've decided it's about time to fully utilize privacy and digital id technology into my internet use. I've used PGP off-and-on for years, of course; and have been half-aware of other services like VeriSign et al. However, now that I'm looking more closely at these technologies, I've been disappointed to find that there doesn't seem to be anything that seamlessly and relatively unobtrusively plugs-in to my various applications and OS. What are the current options for achieving this level of integration; and, if there really aren't any, I'm interested in any thoughts anyone might have about why this is the case and what the future might hold."

Depends on purpose, but there are options

[Fastolfe]

The first question I'd ask is whether or not you need this solution to work over the Internet as a whole, or just within your organization. If you're OK with an intra-organization approach, simply get some group to take ownership of a private root certificate authority and pump out certificates as needed. Customized versions of software could be pre-configured to trust this organizational certificate, or instructions sent out that tell people how to get it trusted.

If you're looking for a solution that's cross-platform, there are options for most any OS for either a PGP-ish solution or a X.509-based solution (traditional Verisign-issued certificates), but as things are today, PGP-based solutions are generally easier for UNIX while X.509-based solutions are generally easier for Windows.

For Windows, a lot of the certificate stuff is built in, which makes it easy for applications to support it. There are PGP plug-ins, which, while not exactly polished, have worked for me in the past. (Function over form, if you ask me.)

For UNIX, you'll generally need OpenSSL-based software if you want to make use of X.509. For e-mail, mutt even has support for these certificates (which is how I'm starting to do things today, so that less savvy Windows users can get my signed messages without having to install extra PGP software).

If you ask me, the digital certificate approach seems to be winning out, for the usual Microsoft reasons. I personally like the way PGP-style authentication is done, where you explicitly trust your closest friends, and other peoples' keys can have trust inherited from that, etc. The way things are now, you kind of have to assume that the certificates you're given (bundled in your application) are really trustworthy. Given the volume of such certificates bundled in browsers today, it's only a matter of time before one of those barely-recognizable companies get their certificates compromised, at which point things are going to start sucking.

CAs

[jo42]

Frankly, I'm rather surprised that no one in the Open Source community has started a free certificate authority. It's not quantum physics lads - all you need is a few lines of code and some web pages.