Manage Learn to apply best practices and optimize your operations.

PKI system validation processes

Learn how an X.509 DN e-mail field is validated when you reply to a digitally signed message, and learn what to do when you want to encrypt it, in the application security Ask the Expert Q&A.

I have an S/MIME protocol question. How is the X.509 DN e-mail field validated when you reply to a digitally signed message and want to encrypt it?
In the X.509 public key infrastructure (PKI) system, a Certificate Authority (CA) issues a certificate binding a public key to a particular Distinguished Name (DN). A DN is a series of name-value pairs, such as uid=mike, that uniquely identify an individual or entity -- the certificate subject. For example, a typical DN looks something like this:

uid=mike,e=mike@abc.com,cn=mike,o=ABC Ltd.,c=GB

The meanings of the abbreviations before each equal sign are as follows:

  • uid: user ID
  • e: e-mail address
  • cn: the user's common name
  • o: organization
  • c: country

The user's public key and everything contained within the fields of an X.509 public key certificate -- including the DN -- is encrypted with the private key of the CA. Anyone who has access to a copy of the CA's certificate can verify the authenticity of the user's certificate by decrypting the user's DN with the public key contained in the CA's certificate. This verification method means that the information within a certificate cannot be altered, because if it is, the CA's signature will be invalidated. When someone sends a digitally signed e-mail, it contains a digital certificate. If there is a problem with the certificate, the e-mail program will send an alert.

To verify whether the digital certificate used is still valid, send a request for certificate information to the appropriate CA. The CA will send back information on the status of the certificate, including whether it has been revoked. Outlook Express has this feature. To enable it, go to the "Advanced" section of the "Security" tab in the "Options" settings. This automatically sends a request to the CA for information about the digital certificate when you open a signed message.

More Information

  • Learn more about S/MIME encryption here.
  • Attend E-mail Security School and learn tactics for securing your e-mail systems.

  • This was last published in February 2006

    Dig Deeper on PKI and digital certificates

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.