Digital Signatures in E-mail

Getting Started with Digital Signatures for E-mail

To digitally sign e-mails you send, you must use an e-mail program that supports them. Most regular desktop applications do, while most mobile apps and web-based mail apps do not.

Next, you must acquire a digital certificate (also called a "Digital ID") that identifies you by your full name and e-mail address, and install it into your computer and any other device you use to send e-mail. It takes some effort and a little money to get a Digital ID; but, once you have it, you can sign an unlimited number of messages using the same digital certificate, until the certificate expires. If you have multiple e-mail addresses, you need one for each address from which you want to send signed e-mail.

Where to get a Digital ID

To get a Digital ID, you should purchase it from a well-known provider of digital certificates, also known as a Certification Authority or just a CA. When you get a digital certificate from a CA that is trusted worldwide, virtually any recipient of your digitally signed e-mail will be able to verify the integrity of your message without having to take any further steps.

Verification Options

When you purchase your certificate, you have different options as far as how thoroughly the provider verifies your identity before it issues the certificate. The verification process can range from virtually none (you tell the provider your name and e-mail address, and they send the certificate to you by e-mail), to thorough verification requiring you to send them a copy of your government-issued ID and proof that you own your e-mail address. You should choose a level of verification based on what your recipients will require.

The thoroughness of the verification will be indicated in the certificate once it is issued. The advantage of using minimal verification is that you can get no-verify digital certificates for free. The certificate itself will usually show something like "PERSONA NOT VALIDATED" as a warning to anyone accepting your signed message that the certificate was granted by confirming the e-mail address only, but with no verification of who is behind it. These can be useful if your intended recipients know you personally, and they already know your e-mail address.

If you're going to send signed e-mails to the general public, or otherwise need to meet a greater level of assurance in your electronic communications to meet company policies or contractual/legal obligations, you should purchase a certificate from a provider that verifies your identity before issuing a certificate in your name. These can cost significantly more, but the provider then essentially takes responsibility, on your behalf, for asserting your identity through your certificate.

Acquiring the Digital ID

Although the internal data and format of digital certificates are standardized, each certificate issuer has a different procedure you must follow to apply for the certificate, verify your identity, and get the certificate delivered to you. Once you get to that point, you must install the certificate on your computer or mobile device yourself. Each certificate issuer, though, should have tutorials on their website, or some sort of technical support or customer service, to help you get your new certificates installed properly.

As part of the process of getting a digital certificate, you must create and store what's called a private key. The private key is stored only on your computer or mobile device, and is used by your e-mail program as part of the process of signing your e-mails. The secrecy of this private key forms the crux of how a digital certificate proves that only you sent it. If you are going through the process of getting a Digital ID, any good provider will have you create the private key on your computer, and you won't need to send it to them. This way, the private key never leaves your computer. If your provider asks you to send them the key, or if they generate it on your behalf, you should cancel the process and find another provider.

One last note: When you're generating your private key, your computer might ask you to set a password to protect it. Your private key is already kept in a hidden area on your computer that's hard for another user to find. But, if you share your computer or use a laptop, tablet, or phone that you could possibly lose, you should consider setting a password on the private key. Then, your computer will encrypt the private key when it saves it to your hard drive. If someone with physical access to your computer tries to copy the private key from your hard drive, he won't be able to use it unless he can guess the password you used to encrypt it. The drawback is you may have to type this password every time you send a signed e-mail.

Cloud Options

Some companies offer cloud-based e-mail digital signing. With these services, your private key is generated and stored on the cloud provider's servers, and you can then sign e-mails via a mobile app, or through their website. This would be convenient if have several devices, because you don't have to configure a Digital ID on each of them. But, as already mentioned, this undermines the integrity of the process, so you should not use cloud-based digital e-mail signature services without performing thorough risk assessments.

Final Words

If any of this sounds daunting, or you want assistance ensuring you are making the best choices, please contact an IT services professional such as J.D. Fox Micro. Otherwise, continue with one of the links below.

Click here for links to issuers of digital certificates for e-mail.

Click here for the first part of this article, an introduction to digital signatures for e-mail.