Hi everybody,
first I need to address why I posted this in a privacy community: With the certificate anybody that has an e-mail client shipped with the root certificate of the CA (or one higher up in the CA chain) (so anybody) can send me an encrypted e-mail without much knowledge of the technology behind it and also be sure that it is me who receives the private message. No need to know each other/exchange and import a key/etc. beforehand as with other approaches. In this use case I am not anonymous, of course, on the contrary very much the opposite, but the message content is private. I hope I am not off-topic.
So, now it is time for my actual problem/question: This is not the first time I am researching where I could get such a certificate and last time I ended up talking to some sales guys from a CA, that first thought I was representing a company, and when they found out that I just wanted a personal certificate for one e-mail address they said they would call me back and ghosted me. At this point I should mention the obvious: In order to verify my identity to satisfy the requirements of what is often referred to as a qualified electronic signature in legal texts, such as laws and regulations like for instance EU Regulation No 910/2014, I would most probably need to show up personally at the CA or an authorized partner, which narrows down possible candidates for CAs drastically – in my case to the EU. Additionally, the CA (or one higher up the tree) should be shipped with the major mail clients, which narrowed it down to two last time…
Now, which is again a few years later, I am completely stuck in my online research, since I cannot find any company that mentions that level of identification for a private e-mail address. Instead, I am flooded with search results for services that would give me a certificate that basically does only assure that some guy proved he has access to that mail account.
Could anyone point me in the right direction, please? Thanks a lot in advance!
There are plenty of certificate authorities that will sign a personal S/MIME cert. For example: https://www.digicert.com/tls-ssl/secure-email-smime-certificates
The problem with those personal certificates is that nobody checks any ID, so there is no guarantee that it’s me and therefore it is not a qualified electronic signature. Sure, the encryption aspect works for that random guy behind his Outlook client, but my mail will not be marked as green i.e. “you can trust that it really is that guy”.
Basically, your cert needs to be signed by a cert authority that the other person already trusts. As you’ve found, nobody really wants to deal with this for individuals.
Generally, what people do is create a self-signed cert and publish it, either on their own site or that of a third party like https://keys.openpgp.org/, then convince people to trust it, usually through an existing trusted communication channel, such as by meeting in person.
Certs and keys are more or less the same thing, a cert just has metadata like being signed by a CA, while keys are solely the public-private keypair and nothing else.
As you’ve found, nobody really wants to deal with this for individuals.
Thanks for confirming my findings. At least I know that I am not mistaken…
As far as the decentralized web of trust, gpg, keyservers, keysigning parties are concerned I am on board for a long time. However, with that approach I cannot just tell some random person from some random company to send me an encrypted response to my gpg signed e-mail…
I also used CAcert.org, which is a hybrid approach, back in the day when an inclusion in Mozilla products was still on the table.
Even with a cert signed by a trusted CA, most people are not going to go through the effort to figure out how to send encrypted mail, assuming their client even supports it!
The only place I’ve seen it successfully implemented is government, where software and certificates are highly standardized, and being unable to send encrypted email is not an option. Your average person barely knows how to use Outlook.