EmailSharePrint

Gatekeeper: General FAQs

What is a digital signature?
A digital signature functions for electronic documents like a handwritten signature does for printed documents. The signature is an unforgeable piece of data that asserts that a named person wrote or otherwise agreed to the document to which the signature is attached.

A digital signature actually provides a greater degree of security than a handwritten signature. The recipient of a digitally signed message can verify both that the message originated from the person whose signature is attached and that the message has not been altered either intentionally or accidentally since it was signed. Furthermore, secure digital signatures cannot be repudiated; the signer of a document cannot later disown it by claiming the signature was forged.

In other words, digital signatures enable "authentication" of digital messages, assuring the recipient of a digital message of both the identity of the sender and the integrity of the message.

How is a digital signature used for authentication?
Suppose Alice wants to send a signed message to Bob. She creates a message digest by using a hash function on the message. The message digest serves as a "digital fingerprint" of the message; if any part of the message is modified, the hash function returns a different result. Alice then encrypts the message digest with her private key. This encrypted message digest is the digital signature for the message.

Alice sends both the message and the digital signature to Bob. When Bob receives them, he decrypts the signature using Alice's public key, thus revealing the message digest. To verify the message, he then hashes the message with the same hash function Alice used and compares the result to the message digest he received from Alice. If they are exactly equal, Bob can be confident that the message did indeed come from Alice and has not changed since she signed it. If the message digests are not equal, the message either originated elsewhere or was altered after it was signed.

Note that using a digital signature does not encrypt the message itself. If Alice wants to ensure the privacy of the message, she must also encrypt it using Bob's public key. Then only Bob can read the message by decrypting it with his private key.

It is not feasible for anyone to either find a message that hashes to a given value or to find two messages that hash to the same value. If either were feasible, an intruder could attach a false message onto Alice's signature. Specific hash functions have been designed to have the property that finding a match is not feasible, and are therefore considered suitable for use in cryptography.

One or more Digital Certificates can accompany a digital signature. If a Digital Certificate is present, the recipient (or a third party) can check the authenticity of the public key.

How do Digital Certificates work?
Digital Certificates use public key encryption techniques that use two related keys, a public key and a private key. In public key encryption, the public key is made available to anyone who wants to correspond with the owner of the key pair. The public key can be used to verify a message signed with the private key or encrypt messages that can only be decrypted using the private key. The security of messages encrypted this way relies on the security of the private key, which must be protected against unauthorised use.

A Digital Certificate is signed by the Certification Authority that issued the Digital Certificate. Multiple digital certificates can be attached to a message or transaction, forming a certification chain where each Digital Certificate testifies to the authenticity of the previous Digital Certificate. The top-level certification authority must be independently known and trusted by the recipient


Why do I receive the error: "The message could not be sent. An error has occurred" When sending digitally-signed mail in Microsoft Outlook Express?
This behaviour can occur if you click Cancel at the Windows Log On. Outlook Express is unable to locate your personal certificate information and will therefore be unable to send digitally-signed messages or decrypt messages received.

This behaviour can also occur if the username.pwl file is corrupt, missing, or renamed.

RESOLUTION:
To resolve this issue, when you are prompted for user name and password, enter the correct information and press OK.

You should export the Personal Certificate before renaming or deleting the username.pwl file, and then import the certificate after creating a new .pwl file. If you are unable to export the certificate, you need to obtain another personal certificate.

What are dual key certificates and how are they different from single key certificates?
Dual Key certificates are certificates that the functionality is split between two certificates. This means you will receive two certificates rather than one certificate.

The Signing Certificate is used to sign your email or to otherwise prove that you are who you say you are. The Encryption Certificate is used to handle the encryption of your email.

Dual Keys enable a more secure system for backing up your certificates. A copy of your Encryption Certificate should always be kept to enable the decryption of any emails encrypted using this certificate. In fact it needs to be retained for a period longer than the life of the certificate, as you may need to decrypt emails you received some time ago. However, retaining a copy of your Signing Certificate is not required and reduces the security of this certificate. That is, the more copies of this certificate that exist, the greater the possibility of somebody using a copy to impersonate you.

If you had just one certificate to both sign and encrypt, you would need to retain a back-up copy to ensure you could decrypt all emails. Having Dual Key certificates means you are able to back up your Encryption Certificate only and still be confident that the Signing Certificate used to identify you only exists on your personal system, with no copies available around that could be used maliciously by third parties.

This can also be very useful for companies. Copies of all Encryption Certificates can be kept in a central storage repository, which allows the company to access the encrypted messages of a particular employee if the need arises. However, as the company has no need to retain copies of Signing Certificates, the non-repudiation of an employee's email is unaffected as the certificate is not available for another person to use.

Can I use one certificate for multiple email addresses?
No you cannot. At this stage, we can issue them, but they will not be recognised by most email software. So you should request a certificate for each email address separately. You can have multiple e-mail addresses attached to an account, but when you request each certificate you will be asked which e-mail address you want the certificate attached to.

There is an S/MIME .p7m attachment to my email, what is it?
S/MIME is the secure email protocol, and .p7 is a digital signature file. If this is received as an attachment, or text block, then you are using a mail client which is not S/MIME compatible, and will not be able to use the attached certificate.

After installing the certificate I get an 'Expired Certificate' message?
This could happen because your certificate has been issued in USA time zone and has not become valid yet. All you need to do then is wait a while or turn your clock forward.

How do I send encrypted email?
As soon as two people want to send encrypted mail to each other, both need a certificate. In order to get the other persons public key, simply ask him to send you a signed email. The public key will automatically be sent with the e-mail and installed in your browser. When you want to send encrypted email, select this option in your mail program, and the public key (certificate) matching the email address, will be used to encrypt the message. When it is received, that person must use their private key (usually protected with a password) to decrypt it. The private key is stored locally on your machine, and if you lose this, you will not be able to read encrypted mail. More instructions can be found on our support pages.

When I try to download my Digital Certificate I receive the message "private key not found"
When you retrieve your Digital Certificate, we automatically check to make sure that the private key created in your hard drive during enrolment matches the public key in your Digital Certificate. In order for these to match, you must be using the same Web browser, in the same directory, on the same computer as you were when you requested the Digital Certificate.

Can I send secure e-mail to someone who does not have a Digital Certificate?
No, you cannot encrypt a message, however, unless you have the recipient's Digital ID. You can, however, digitally sign any e-mail as long as the recipient has an e-mail application which supports S/MIME.

What e-mail applications support Digital Certificates?
The following e-mail programs support Class 1 Certificates:

  • Outlook Express
  • Outlook 98
  • Outlook 2000
  • Netscape Messenger

Outlook 98, Outlook 2000 and Outlook Express will work when the IE browser is installed on a PC. IE browsers need to be version 4.0 or greater.

Netscape Messenger works when Netscape browsers are installed on a PC or MAC. Netscape browsers need to be version 4.06 or greater.

More instructions can be found on our support pages.


Why should I save a backup copy of my Digital Certificate?
In case your hard drive crashes or your Digital Certificate files are accidentally deleted. If you store a backup copy of your Digital Certificate on a floppy disk in a secure place, then you will always be able to re-install your Digital Certificate. If you lose your Digital Certificate and it is not backed-up, then you will lose any messages that have been encrypted for you.


How do I save a backup copy of my Digital Certificate? (Netscape)

  1. 1. Click on the security icon (the one that looks like a padlock) from the main toolbar.
  2. 2. Click on "Yours" under "Certificates" from the menu on the left.
  3. 3. Highlight the Digital Certificate you want to save, then click the Export button.
  4. 4. Choose a transport password, which you will be required to present when importing (re-opening) your Digital Certificate, then click OK.
  5. 5. Select a location (such as your floppy disk) and file name in which to save your Digital Certificate, then click Save.
  6. 6. Save your floppy disk and your transport password in a safe location.

How do I transfer my Digital Certificate on a new computer? (Netscape)
The first step for transporting your Digital Certificate is to save ("export") it from the hard drive of the computer where it is currently held onto a floppy disk or other transport medium. When your Digital Certificate has been successfully exported, you can then import it into the new location. To import your Digital Certificate into Netscape:

  1. 1. Click on the security icon (the one that looks like a padlock) from the main toolbar.
  2. 2. Click on "Yours" under "Certificates" from the menu on the left.
  3. 3. Click the Import Certificate button located near the bottom of the page.
  4. 4. If prompted, enter the password used to protect your Digital Certificate (this is NOT the transport password, but the security password you use each time you present your Digital Certificate). You may be prompted to enter this password multiple times before it takes.
  5. 5. Locate your Digital Certificate from the disk and folder in which it is saved (it should have a .pfx or .p12 extension). Once you have found it, highlight it and click Open.
  6. 6. Enter your transport password and click OK. (If your Digital Certificate shows up as a long series or numbers or letters, it should still work correctly.)

How do I save a backup copy of my Digital Certificate? (Microsoft Internet Explorer)

  1. 1. From the View menu of Explorer, choose "Internet Options..."
  2. 2. Select the Content tab.
  3. 3. Select Personal from the Certificates list.
  4. 4. Highlight the Digital Certificate you wish to save, then click the Export button.
  5. 5. Choose a password and a file name for your Digital Certificate. This new password protects this specific copy of your Digital Certificate--you will be required to present it when you want to import or open this copy of your digital certificate. Be sure to include a disk and folder location in the file name, such as a: if you want to save to a floppy disk. Click OK.
  6. 6. If prompted, enter the security password you have always used to protect your Digital Certificate. You may be prompted to enter this password multiple times (possibly as many as 20) before it takes. Save your floppy disk and your transport password in a safe location.

How do I transfer my Digital Certificate to a new computer? (Microsoft Internet Explorer)
The first step for transporting your Digital Certificate is to save ("export") it from the hard drive of the computer where it is currently held onto a floppy disk or other transport medium. When your Digital Certificate has been successfully exported, you can then import it into the new location. To import your Digital Certificate into Internet Explorer:

From the View menu of Explorer, choose "Internet Options..."

  1. 1. Select the Content tab.
  2. 2. Select Personal from the Certificates list.
  3. 3. Click the Import button.
  4. 4. Locate your Digital Certificate from the disk and folder in which it is saved (it should have a .pfx or .p12 extension). Once you have found it, highlight it and click Open.
  5. 5. If prompted, enter the security password used to protect your Digital Certificate (this is NOT the transport password, but the security password you use each time you present your Digital Certificate). You may be prompted to enter this password multiple times (possibly as many as 20) before it takes.
  6. 6. Enter your transport password and click OK.

How many e-mails accounts are supported by my Digital Certificate?
Your Digital Certificate applies to the e-mail address that you indicate during the enrolment process. If you have multiple e-mail addresses you will need multiple Digital Certificates. A Digital Certificate applies to only one e-mail address.

How do I revoke my Digital Certificate?
You will need to go to the certificate management page [/certificatemanagement]. Here you will need to search using your email address for your certificate. Once found select your certificate from the list given. You will also need your Challenge Phrase from the original enrolment.

Why would I need to revoke my Digital Certificate before it expires?
You would need to revoke your Gatekeeper Certificate if its security became compromised or if you lost the ability to use it and wanted a replacement. For example, if somebody stole your computer with your private key file and you had not protected this file with a password, that person could read your encrypted messages and impersonate you on the Internet. You would want to revoke (cancel) your Gatekeeper Certificate so that we would no longer vouch for the holder of that Gatekeeper Certificate. Alternatively, if your hard drive crashed and you lost your private key file, you would be unable to use your digital certificate. In this case you would want to revoke the Gatekeeper Certificate so that you could get a new key pair and a replacement Gatekeeper Certificate.

Can somebody else revoke my Digital Certificate without my knowledge or permission?
No. When you enrolled for your Gatekeeper Certificate you chose a "challenge phrase" which only you should know. To change the status of your Gatekeeper Certificate in any way you have to present this phrase.

Upon sending an encrypted message, I receive the following "Non-Secure Recipients" message: "None of the recipients can process an encrypted message. You can either proceed with an unencrypted message or cancel the operation."
This message is displayed because the recipient email address entered, originated from the Global Address List or other non-contact address source. You must use the contact record that contains the recipient's Digital Certificate to address the message.

Need More Info?
Call +61 3 9914 5600
Email sales@verisign.com.au
  • My Gatekeeper
  • My Gatekeeper Sign In
Visit our Support section