Recommendations For Personal Digital Certificates?

Keith M Ellis asks: "I've decided it's about time to fully utilize privacy and digital id technology into my internet use. I've used PGP off-and-on for years, of course; and have been half-aware of other services like VeriSign et al. However, now that I'm looking more closely at these technologies, I've been disappointed to find that there doesn't seem to be anything that seamlessly and relatively unobtrusively plugs-in to my various applications and OS. What are the current options for achieving this level of integration; and, if there really aren't any, I'm interested in any thoughts anyone might have about why this is the case and what the future might hold."

Thawte

[danielrose]

Thawte digital signatures integrate really well into MS Outlook (at least Outlook 2K).
PGP also integrates nicely into Outlook 2K. GPG however does better in Outlook Express.

Depends on purpose, but there are options

[Fastolfe]

The first question I'd ask is whether or not you need this solution to work over the Internet as a whole, or just within your organization. If you're OK with an intra-organization approach, simply get some group to take ownership of a private root certificate authority and pump out certificates as needed. Customized versions of software could be pre-configured to trust this organizational certificate, or instructions sent out that tell people how to get it trusted.

If you're looking for a solution that's cross-platform, there are options for most any OS for either a PGP-ish solution or a X.509-based solution (traditional Verisign-issued certificates), but as things are today, PGP-based solutions are generally easier for UNIX while X.509-based solutions are generally easier for Windows.

For Windows, a lot of the certificate stuff is built in, which makes it easy for applications to support it. There are PGP plug-ins, which, while not exactly polished, have worked for me in the past. (Function over form, if you ask me.)

For UNIX, you'll generally need OpenSSL-based software if you want to make use of X.509. For e-mail, mutt even has support for these certificates (which is how I'm starting to do things today, so that less savvy Windows users can get my signed messages without having to install extra PGP software).

If you ask me, the digital certificate approach seems to be winning out, for the usual Microsoft reasons. I personally like the way PGP-style authentication is done, where you explicitly trust your closest friends, and other peoples' keys can have trust inherited from that, etc. The way things are now, you kind of have to assume that the certificates you're given (bundled in your application) are really trustworthy. Given the volume of such certificates bundled in browsers today, it's only a matter of time before one of those barely-recognizable companies get their certificates compromised, at which point things are going to start sucking.

Re:Why PGP is not integrated into applications

[Rick+the+Red]

Privacy and networking are not opposing forces. The drive to network led us to invent the postal service, and that came with privacy from day one. The analogy is simple: email is a postcard; encrypted email is a letter in an envelope. Even if most people will never read your emails, just as most people will never read your postcards, it is quite possible for your ISP (and many others you don't know) to read your emails, just as it's possible for everyone at the post office to read postcards.

Most people pay bills by mail without a second thought, but they would never pay bills by email. Perhaps that will change with univerally accepted encryption. The question is how to get there from here, and "one person at a time" is as good a way as any.

CAs

[jo42]

Frankly, I'm rather surprised that no one in the Open Source community has started a free certificate authority. It's not quantum physics lads - all you need is a few lines of code and some web pages.

Re:CAs

[coyote-san]

If it's so easy, why haven't you done it?

You're correct that it's not difficult to sign certs. But a CA needs to do a lot more than that. You need to be able to handle revocations and renewals, while avoiding the fradulent revocations and renewals by third parties. You need to be able to publish the certs and CRLs to any interested party. You need to provide the standard search methods.

And once you've done all of that, you're still left with the question of exactly what the cert means. A free cert that shows nothing but the fact that you have an email address isn't particularly useful. It gives you encrypted email, but no real authentication.

That's better than nothing, but the suspect the other people working on CA projects feel that we'll get more benefit from our efforts elsewhere.