Control Your Identity or Microsoft and Intel Will
by Jon Udell | Pages: 1, 2

Once enrolled, you can create one or more digital IDs. That process goes like this:

1. Choose X.509 format.
   The options include Netscape (works with Mozilla too), MSIE, Outlook or Outlook Express, Lotus Notes R5, Opera, and the C2Net SafePassage Web Proxy.

2. Common Name.
   If you're notarized through the Thawte Web of Trust, your certificate can include your name. Otherwise (as in my case) the common name will be "Thawte Freemail Member."

3. Email addresses.
   Listed here are the addresses you've entered into the system. To add one, use the add, then ping, functions. Although you can embed several addresses in a certificate, Thawte advises that you use just one. This address, embedded in the certificate, will match (and validate) the address on your From: header.

4. Strong Extranet.
   If your identity is certified as part of Thawte's commercial certification program, associated identities would be available here and could be included in the certificate. Such an identity could, for example, enable single sign-on to a suite of corporate applications.

5. Certificate extensions.
   Regarding these, Thawte says: "Please note that the extension options below are not for the faint of heart. You probably won't trigger a Vogon invasion of Earth if you press the wrong button, but you might cause weird behavior in some otherwise-normal software. Don't fiddle with this unless you've been told to, or unless you're a born fiddler."

6. Cryptographic service provider.
   The default here, on Windows, is Microsoft Enhanced Cryptographic Service Provider 1.0.

7. Generate private key.
   If you're on Windows, and you are creating a certificate for use in Outlook or Outlook Express, this is your chance to ratchet up the password security on the certificate. You'll see this dialog box:

   

   Click on the Set Security Level button to bring up this dialog box:

   

   Choosing High means you'll be asked for your digital ID password each time you sign a message. Most people won't want to do this, but I like to. It makes the act of signing an email message feel like signing a physical document. The equivalent setting, in Netscape, is available anytime (not just during key generation) at Edit -> Preferences -> Privacy and Security -> Master Password -> Master Password Timeout -> Every time it is needed.

When you've generated your key, Thawte issues the URL at which you can retrieve your certificate. It takes a few minutes to process your request. Then, on that page, you can click on a link to install the certificate into your email program.

What has all this rigmarole finally accomplished? There's the rub. You can assert the validity and integrity of your messages, but no one expects you to. You can automatically acquire public keys from others who sign their message, but no one does so. Having acquired those keys you can encrypt messages to those people, but again, they don't expect you to do so.

The problem with the S/MIME suite of email security features is that they tackle problems people pay lip service to, but don't really care much about. A problem that people do care about, though, is spam. Do we care enough to assert our identities, and thus enable software to separate us from abusers who will not? It's debatable, but in any case let's consider how a culture of voluntary-identity assertion might combat abuse.

Imagine for a moment that email signing is routine. I've said we could then separate email correspondents into two groups: professionals and amateurs. In practice, that would mean an email filter that classifies messages based on the presence of a valid signature. This wouldn't be a difficult thing to do, but since there's never been demand for the feature, the filtering mechanisms in popular email software don't currently support it.

The harder problem is certificate revocation. To explore this issue, I revoked one of my Thawte Freemail certificates. The goal of the exercise was to get my email software to notice that a message was signed with a bogus certificate. The technology exists, but it's even more obscure than the basics I've reviewed here so far. On this Thawte Web page there is a link to Thawte's Freemail CRL (certificate revocation list). Merely acquiring a certificate doesn't connect you to the CRL. If you want your software to reject bogus certificates, you'll have to track down its URL and load it. When you do so in MSIE, you'll invoke this CRL viewer, shown here displaying the certificate (serial number 07 c1 0a) that I revoked:

Note, by the way, that it took about six hours for my revocation to appear on the list--plenty of time for a spammer to complete a broadcast.

An MSIE user would, in any case, have to repeatedly fetch the CRL--which is, of course, unlikely. Mozilla does much better. Once you fetch the CRL, you can arrange to have it updated daily, like so:

Of course, updating the CRL doesn't help you unless your software actually consults it. So far as I can tell, Outlook doesn't. Messages signed by my revoked certificate look completely normal in Outlook. Mozilla, on the other hand, comes up smelling like a rose. Here's what I expected to see, and did see, in Mozilla:

Note how the broken pencil signals an invalid signature. Mozilla also claims (though I did not test) support for Online Certificate Status Protocol (OCSP), which aims to augment or replace CRL technology with a more direct protocol.

There are, admittedly, plenty of holes in the argument I've made here. Certificate revocation would have to work in near real-time, as OCSP hopes to enable. Certificates would need to bind more durable identity tokens than fungible email addresses. A culture of identity would be at odds with the culture of anonymity that is, for many people, a core value of the Internet. It comes down to this. We can choose to control our own identities, by embracing and refining some existing technologies that are widely available. Or we can cede that control to a cartel that wants to reinvent the PC and the Internet in ways antithetical to freedom and innovation. If spam is the fulcrum issue that will motivate the masses to accept a change, let's offer a solution based on a voluntary framework of trust. We'll like the alternative mandatory scheme a lot less.

---