|
In the X.509 public key infrastructure (PKI) system, a Certificate Authority (CA) issues a certificate binding a public key to a particular Distinguished Name (DN). A DN is a series of name-value pairs, such as uid=mike, that uniquely identify an individual or entity -- the certificate subject. For example, a typical DN looks something like this:
uid=mike,e=mike@abc.com,cn=mike,o=ABC Ltd.,c=GB
The meanings of the abbreviations before each equal sign are as follows:
- uid: user ID
- e: e-mail address
- cn: the user's common name
- o: organization
- c: country
The user's public key and everything contained within the fields of an X.509 public key certificate -- including the DN -- is encrypted with the private key of the CA. Anyone who has access to a copy of the CA's certificate can verify the authenticity of the user's certificate by decrypting the user's DN with the public key contained in the CA's certificate. This verification method means that the information within a certificate cannot be altered, because if it is, the CA's signature will be invalidated. When someone sends a digitally signed e-mail, it contains a digital certificate. If there is a problem with the certificate, the e-mail program will send an alert.
To verify whether the digital certificate used is still valid, send a request for certificate information to the appropriate CA. The CA will send back information on the status of the certificate, including whether it has been revoked. Outlook Express has this feature. To enable it, go to the "Advanced" section of the "Security" tab in the "Options" settings. This automatically sends a request to the CA for information about the digital certificate when you open a signed message.
More Information
Learn more about S/MIME encryption here.
Attend E-mail Security School and learn tactics for securing your e-mail systems.
|
