Digital signature

The basics of a digital signature is to try to help you ensure that something (like an email) has not been tampered with.

The process is, someone writes an e-mail, and their mail program uses their 'private key' along with the message to construct a digital signature that is attached to the email.

To verify the email has not been 'dinked' with, the receiver uses the email with the digital signature and the SENDERS 'public key' to validate everything is OK.

If the email has been messed with, the message will not verify. This is much more than just a parity or cyclic redundancy check.

Most certificates, whether for personal email or web sites, are offered with validity periods. Different registrars have different rules. And an owner can have a certificate granting agency 'invalidate' a certificate early.

I remember playing the game with OutlookExpress some years ago, and know it is done with MS Outlook, but all I can suggest is 'RTFM' [read the FINE manual ;) ] - I would THINK that it might be in the helps. I also think I remember seeing some howto information at cacert.org

Longer private and public keys are more secure than shorter ones, some encryption techniques are better than others. A 'private key' you must NEVER ALLOW it to be out of your control. Like, keep it on a keyfob you keep in your pocket and write protected. The 'public key' you often publish with your contact information on 'key servers' on the internet to allow anyone to use to verify messages you send.

Certificates are used for other things, like making a 'secure web connection' (the little lock or security symbol in your web browser when you go to a HTTPS:// web site), data transmission encryption over tunnels, you can sign and lock documents that only the ones with the correct private keys can decode.

You may also find people that have 'digital fingerprints', sometimes published on business cards, etc. They are a 'mini-signature' that can be used to validate a full signature to verify files or emails you may get from them. This is especially useful if you recieve the fingerprint in a face to face meeting where you feel you know the person well enough to take their word or they have verified to you they are whom they say they are. (Yes, folks that deal with certifications eventually seem to get paranoid, but that is how the 'bad guys' are kept a bay.)

But in the end, security is in the hands of the end user. If they do not private keys private and do not do 'sufficient' encryption, the 'bad guys' can always get your information.

That is the rough, my 2 cents version of public/private keys.

There are private organizations like thawte.com and verisign.com have the majority of the commercial market. cacert.org offers free certificates, and there are people that can help provide authentication all over the world. There are other certificate agencies out there too.

I am near Nashville and we did a 'certification event' at a computer conference a couple of years ago, so I know there are over 10 within 100 miles of where I am.

I suggest go to the cacert.org site, read their education material, and use their service. If you want to help, they also describe HOW TO become a person that can certify others. They have wiki.cacert.org for more information. You will have to register with them to get an email certificate or GPG or PGP key. (PGP and the open source version, GPG, is the software and techniques used to help with signing and encryption.)

I hope this helps.