PGP vs Digital IDs
 

We need to encrypt email btween a customer of ours and us. I have been
looking at options. We are footing the bill. It will begin with a single
address here and one customer with three email addressses. We will expand
this to over 20 customers if things go well. This will get expensive so we
want to choose the right solution. We want something that will be cross
platform and non-intrusive for the customer, not to mention easy to set up.

Any opinions?

Thanks in advance for your time!

PGP vs Digital IDs
 

"Fredly" wrote in message
...
We need to encrypt email btween a customer of ours and us. I have been
looking at options. We are footing the bill. It will begin with a single
address here and one customer with three email addressses. We will expand
this to over 20 customers if things go well. This will get expensive so
we
want to choose the right solution. We want something that will be cross
platform and non-intrusive for the customer, not to mention easy to set
up.


If you and the recipients are using Outlook (because you asked in this
newsgroup), why not use x.509 certificates? Support for them is already
built into Outlook. You can get free e-mail certs at Thawte but they really
aren't of much use. Anyone can get one and about all they are good for is
to identify the e-mail address of sender in a digital signature and are
useful for encryption. You can go through their Web Of Trust mechanism to
get more information put into your certificate to provide more details, like
who you actually are versus just your e-mail address. There is probably a
charge for each WOT notary you use to up the credibility of your cert. You
could get a cert from Verisign that has all your credentials already in it,
and your customers could get freemail certs from Thawte. It depends on
which party must be the most detailed in the credentials they provide in
their digital signature.

Whether x.509 or PGP, you will need to send a digitally signed mail to the
recipient who then must save your public key included in that mail, usually
by saving you as a contact. Then when they want to send you encrypted
mails, they use your public key, send it to you, and you use your private
key to decrypt their mail. If you want to send them encrypted mails, you
need to have them send you their public key in a digitally signed mail. You
get a cert so you can sign your mails and others can send you encrypted
mails. They get a cert so they can sign their mails and you can send them
encrypted mails.

I haven't use PGP but I hear there is an add-on that lets it work within
Outlook. Not all PGP providers are free. I haven't bothered with buying a
cert because, for personal mails, identifying myself by my e-mail address is
sufficient as far as I am concerned, so the freemail certs from Thawte are
okay for me. I only use my cert to digitally sign a few of my e-mails. No
one I know has sent me their cert in a digitally signed mail (so I can get
their public key) so I cannot send them encrypted mails. Thawte has their
freemail certs but there are drawbacks to having to use their WOT if you
want more credentials in your cert. I suspect Verisign is a pricey cert
provider. Thawte and GeoTrust are cheaper. Thawte is probably a lot
cheaper than Verisign but Verisign acquired Thawte back around 2000, so I've
read where some Thawte users will have their Thawte cert branded with "A
Verisign Company" since users know and most trust Verisign.

I only dipped into the PGP cert mechanism but didn't bother with it, so
someone else will have to offer advice on that other scheme.

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

PGP vs Digital IDs
 

Thank you for the info!!!!

I like the Thawte free option... I was thinking we would need to buy from
Verisign and pay roughly $15 a month, per ID. What exaclty are the
differnces between a pay cert and a free cert?


"Vanguard" wrote in message
...
"Fredly" wrote in message
...
We need to encrypt email btween a customer of ours and us. I have been
looking at options. We are footing the bill. It will begin with a
single
address here and one customer with three email addressses. We will
expand
this to over 20 customers if things go well. This will get expensive so
we
want to choose the right solution. We want something that will be cross
platform and non-intrusive for the customer, not to mention easy to set
up.


If you and the recipients are using Outlook (because you asked in this
newsgroup), why not use x.509 certificates? Support for them is already
built into Outlook. You can get free e-mail certs at Thawte but they
really
aren't of much use. Anyone can get one and about all they are good for is
to identify the e-mail address of sender in a digital signature and are
useful for encryption. You can go through their Web Of Trust mechanism to
get more information put into your certificate to provide more details,
like
who you actually are versus just your e-mail address. There is probably a
charge for each WOT notary you use to up the credibility of your cert.
You
could get a cert from Verisign that has all your credentials already in
it,
and your customers could get freemail certs from Thawte. It depends on
which party must be the most detailed in the credentials they provide in
their digital signature.

Whether x.509 or PGP, you will need to send a digitally signed mail to the
recipient who then must save your public key included in that mail,
usually
by saving you as a contact. Then when they want to send you encrypted
mails, they use your public key, send it to you, and you use your private
key to decrypt their mail. If you want to send them encrypted mails, you
need to have them send you their public key in a digitally signed mail.
You
get a cert so you can sign your mails and others can send you encrypted
mails. They get a cert so they can sign their mails and you can send them
encrypted mails.

I haven't use PGP but I hear there is an add-on that lets it work within
Outlook. Not all PGP providers are free. I haven't bothered with buying
a
cert because, for personal mails, identifying myself by my e-mail address
is
sufficient as far as I am concerned, so the freemail certs from Thawte are
okay for me. I only use my cert to digitally sign a few of my e-mails.
No
one I know has sent me their cert in a digitally signed mail (so I can get
their public key) so I cannot send them encrypted mails. Thawte has their
freemail certs but there are drawbacks to having to use their WOT if you
want more credentials in your cert. I suspect Verisign is a pricey cert
provider. Thawte and GeoTrust are cheaper. Thawte is probably a lot
cheaper than Verisign but Verisign acquired Thawte back around 2000, so
I've
read where some Thawte users will have their Thawte cert branded with "A
Verisign Company" since users know and most trust Verisign.

I only dipped into the PGP cert mechanism but didn't bother with it, so
someone else will have to offer advice on that other scheme.

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

PGP vs Digital IDs
 

Fredly wrote:
Thank you for the info!!!!

I like the Thawte free option... I was thinking we would need to buy
from Verisign and pay roughly $15 a month, per ID. What exaclty are
the differnces between a pay cert and a free cert?


Try www.thawte.com

Kerry


"Vanguard" wrote in message
...
"Fredly" wrote in message
...
We need to encrypt email btween a customer of ours and us. I have
been looking at options. We are footing the bill. It will begin
with a single address here and one customer with three email
addressses. We will expand this to over 20 customers if things go
well. This will get expensive so we
want to choose the right solution. We want something that will be
cross platform and non-intrusive for the customer, not to mention
easy to set up.


If you and the recipients are using Outlook (because you asked in
this newsgroup), why not use x.509 certificates? Support for them
is already built into Outlook. You can get free e-mail certs at
Thawte but they really aren't of much use. Anyone can get one and
about all they are good for is to identify the e-mail address of
sender in a digital signature and are useful for encryption. You
can go through their Web Of Trust mechanism to get more information
put into your certificate to provide more details, like who you
actually are versus just your e-mail address. There is probably a
charge for each WOT notary you use to up the credibility of your
cert. You could get a cert from Verisign that has all your
credentials already in it, and your customers could get freemail
certs from Thawte. It depends on which party must be the most
detailed in the credentials they provide in their digital signature.

Whether x.509 or PGP, you will need to send a digitally signed mail
to the recipient who then must save your public key included in that
mail, usually by saving you as a contact. Then when they want to
send you encrypted mails, they use your public key, send it to you,
and you use your private key to decrypt their mail. If you want to
send them encrypted mails, you need to have them send you their
public key in a digitally signed mail. You get a cert so you can
sign your mails and others can send you encrypted mails. They get a
cert so they can sign their mails and you can send them encrypted
mails.

I haven't use PGP but I hear there is an add-on that lets it work
within Outlook. Not all PGP providers are free. I haven't bothered
with buying a cert because, for personal mails, identifying myself
by my e-mail address is sufficient as far as I am concerned, so the
freemail certs from Thawte are okay for me. I only use my cert to
digitally sign a few of my e-mails. No one I know has sent me their
cert in a digitally signed mail (so I can get their public key) so I
cannot send them encrypted mails. Thawte has their freemail certs
but there are drawbacks to having to use their WOT if you want more
credentials in your cert. I suspect Verisign is a pricey cert
provider. Thawte and GeoTrust are cheaper. Thawte is probably a
lot cheaper than Verisign but Verisign acquired Thawte back around
2000, so I've read where some Thawte users will have their Thawte
cert branded with "A Verisign Company" since users know and most
trust Verisign.

I only dipped into the PGP cert mechanism but didn't bother with it,
so someone else will have to offer advice on that other scheme.

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

PGP vs Digital IDs
 

"Fredly" wrote in message
...
Thank you for the info!!!!

I like the Thawte free option... I was thinking we would need to buy from
Verisign and pay roughly $15 a month, per ID. What exaclty are the
differnces between a pay cert and a free cert?



Mostly what I said, that all you get as your identity in a freemail cert is
your e-mail address. That is it! The recipient won't know who you are
unless they know your e-mail address (which is in the cert and NOT the one
in the headers of the e-mail which can be bogus). You can get more
credentials identifying yourself by going through their web of trust scheme
but I don't know what their WOT notaries charge (you'll have to do that
research yourself). The freemail certs from Thawte expire after 1 year, so
you'll have to go through the process of getting a new cert and sending
digitally signed mails to your customers so they can use your public key to
encrypt their mails that they send to you.

You only need 1 mail cert to let your customers send you encrypted mails.
Each customer will need their own cert to let you send encrypted mails to
them. So you might want to look at Thawte or GeoTrust to see how their
pricing compares against Verisign to determine if you want to a fully
credentialed cert right away (rather than pay WOT notaries and take the time
to do so for a Thawte cert).

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

PGP vs Digital IDs
 

Thanks Vanguard. Another question:

Is there a way to automatically sign and encrypt email in Outlook via S/MIME
and Digital IDs to certain contacts all the time without having to manually
check on each email. We do not wat to set these settings for every email
due to the message you must choose "send unencypted" each time.

Thanks in advance for your time!!


"Vanguard" wrote in message
...
"Fredly" wrote in message
...
Thank you for the info!!!!

I like the Thawte free option... I was thinking we would need to buy
from
Verisign and pay roughly $15 a month, per ID. What exaclty are the
differnces between a pay cert and a free cert?



Mostly what I said, that all you get as your identity in a freemail cert
is
your e-mail address. That is it! The recipient won't know who you are
unless they know your e-mail address (which is in the cert and NOT the one
in the headers of the e-mail which can be bogus). You can get more
credentials identifying yourself by going through their web of trust
scheme
but I don't know what their WOT notaries charge (you'll have to do that
research yourself). The freemail certs from Thawte expire after 1 year,
so
you'll have to go through the process of getting a new cert and sending
digitally signed mails to your customers so they can use your public key
to
encrypt their mails that they send to you.

You only need 1 mail cert to let your customers send you encrypted mails.
Each customer will need their own cert to let you send encrypted mails to
them. So you might want to look at Thawte or GeoTrust to see how their
pricing compares against Verisign to determine if you want to a fully
credentialed cert right away (rather than pay WOT notaries and take the
time
to do so for a Thawte cert).

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

PGP vs Digital IDs
 

"Fredly" wrote in message
...
Thanks Vanguard. Another question:

Is there a way to automatically sign and encrypt email in Outlook via
S/MIME
and Digital IDs to certain contacts all the time without having to
manually
check on each email. We do not wat to set these settings for every email
due to the message you must choose "send unencypted" each time.


You can set Outlook to digitally sign all outbound e-mails.

You can only encrypt outbound mails for which you have received the
recipient's certificate (you use THEIR public key to encrypt). If you don't
have a cert from the recipient, you can't encrypt to them. So I suspect
that you could leave encryption always enabled but it won't encrypt except
for those recipients that have previously sent you their public key in a
digitally signed mail (that you need to save in your contact folder).

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

PGP vs Digital IDs
 

Fredly wrote:

I like the Thawte free option...

I thought the Thawte certificate is free only for personal use and not for
use in a business environment, but checking their web site doesn't seem to
indicate there are any restrictions of that type. It's certainly an option.

There is also a free GnuPG encryption application that is the Gnu version of
PGP (which was purchased by a company) and there's an Outlook plug-in for
GPG.
--
Brian Tillman

PGP vs Digital IDs
 

Vanguard wrote:

So I suspect that you could leave encryption always enabled but it
won't encrypt except for those recipients that have previously sent
you their public key in a digitally signed mail (that you need to
save in your contact folder).

I'll confirm this. Some of the people in the company for which I work
exchange encrypted mail with people in another company. They have
encryption enabled all the time and if there's a cert for the recipient, the
message will be encrypted. If there is no cert, then there is no
encryption. Outlook handles it automatically.

As for the person being in the Contacts folder, it's not necessary in the
case of a publically -available LDAP server in which Outlook can perform a
query for the recipient. That's how we have things set up. We reference an
LDAP server in which can be found the names of those people who have certs.
Outlook will first look in the Contacts folder and then query the LDAP
server if the name isn't in the folder.
--
Brian Tillman

PGP vs Digital IDs
 

Brian Tillman wrote:
Fredly wrote:

I like the Thawte free option...

I thought the Thawte certificate is free only for personal use and not
for use in a business environment, but checking their web site doesn't
seem to indicate there are any restrictions of that type. It's
certainly an option.

There is also a free GnuPG encryption application that is the Gnu
version of PGP (which was purchased by a company) and there's an Outlook
plug-in for GPG.

For $19,95 a year you can get a Verisign class 1 certificate. They use the
credit card details to 'authenticate' the person. This is a little
better/secure than the Thawte version (only the e-mail address gets verified).
As far as I know there is no restriction on business use etc.

Drawback on PGP, GPG etc. is that every user needs to have some piece of
software installed. The advantage of x509 certificates is that almost every
e-mail client supports it.

The link is kinda hidden, because they rather sell you their services :)
http://www.verisign.com/products-ser...dev004002.html

Willem