Information Security Tips Series
Digital Certificate (1)
Security on Personal Certificate
To secure electronic transactions and prove the identity of an individual on the Internet during electronic communications with intended third parties, computer users can apply digital certificate. A digital certificate for an individual is also called "Personal Certificate" comprising a cryptographic key pair, which is both a public and private key. The public key can be used to verify a message signed with the private key, i.e. creating a digital signature for the message, or to encrypt messages that can only be decrypted with the private key.
The followings can refresh memory of the security requirements of Personal Certificate:
1. S/MIME (Secure/Multipurpose Internet Mail Extensions) is an industry standard for sending secure e-mail. For two parties to exchange signed or encrypted e-mail, both parties have a public key certificate being added into the keychain store of the Internet browsers or email programmes on a computer; and correspond through S/MIME compatible e-mail programmes, such as Microsoft Outlook and Lotus Notes.
2. S/MIME compatible email programmes require both sender and recipient of secure emails to first have a personal certificate issued and verified by a third-party Certificate Authority (CA) that is used in the process of digitally signing or encrypting messages.
3. Once generated, personal information embedded into the certificate, such as name or e-mail address, cannot be changed. In case of any change to this personal information, you should revoke your existing certificate and apply for a new one.
4. Before sending an encrypted e-mail, you have to either ask your recipient to send a signed e-mail to you and save his or her certificate in the address book of your email programme; or search and download your recipient's valid personal certificate with a public key, which is the "public certificate", from CA's online repository / directory.
5. Make a back-up copy of your personal certificate. It is absolute essential in case your certificate is lost or accidentally deleted on the computer. Otherwise, you cannot recover your personal certificate and you have to apply for a new one.
6. For expired or revoked personal certificate stored in your Internet browser, do not delete them, otherwise you will no longer have access to the public key associated with the deleted private key and therefore no longer be possible to read previously encrypted messages associated with the expired certificate.
7. In case your computer has been stolen together with your personal certificate, you are recommended to revoke your certificate immediately even though your personal certificate is protected by a password that no one else will be able to use it to impersonate you.
8. Last of all, the technology of some CAs may not support specific written characters, e.g. Chinese characters. You may check it out the service agreement (e.g. subscriber agreement) or Certification Practice Statement (CPS) on CA's website before applying for your own personal certificate.
