How do Email certificates (Digital IDs) work?

May 25, 2018 in Windows and Email S MIME

Click to get your Free Email Certificate (Digital IDs)

In order to receive encrypted email or send digitally signed email, you must have a digital certificate. If you get a digital certificate for your email, you cannot send someone encrypted email, but they can send you encrypted email. This is exactly backward from how any normal person expects it to work, but, luckily, email certificates are free.

Why is it backwards? It isn't really backwards. You could give the public, encoding part to everyone you know. When someone wants to send you a secret message, they use that public key that everyone knows to encrypt it. Only your secret, private key (that must never be shared with anyone) will allow the message to be decrypted and read. A digital certificate allows you to get, but not send, encrypted email.

Secure two-way communication is achieved by both ends having certificates and having both parties give everyone their public key. If this is done then anyone, anywhere can send an encrypted (secret) message to either of these two people. These two people have that same ability and can now send encrypted messages to each other using each other's public key.

This will also work with digital signatures. To ensure someone that receives a digitally signed message can read it, your public key is sent along with your message. And, to ensure that the public key that came with the message is really related to the true sender and not just made up, Comodo includes their own signature in your certificate to back up your claim. This is why you get a digital certificate from a recognized certificate authority instead of just creating your own.

Note that sometimes you may be told that you only need a digital certificate to receive encrypted email. While this is true technically, it is not an ideal combination. When someone sends you an encrypted message, you don't have any way of verifying that the sender is really who they say they are. If the sender also has a digital certificate, then you know that the correct person sent the message. (As an aside, Microsoft decided it was entirely too complicated to explain such things and elected to only allow you to send encrypted email if both ends have a certificate, however you can still send digitally signed messages with just your own certificate.)

The way you give someone your public key so that you can receive encrypted email is by sending them a signed email from your account first. The recipient must then store the certificate you use (which is the public key) in their address book to be able to send you encrypted email afterward.