Last week I set up a free SSL Certificate from StartSSL on a server I created in Amesterdam. The process was a little tricky and not for the beginners but overall getting a free SSL certificate is pretty awesome.
Another free service StartSSL provides along side their SSL Certificates are S/MIME Certificates. A S/MIME Certificate can be used to help verify a user’s identity. Technically the S/MIME Certificate can be added to various email programs (and even products like Adobe & Microsoft Office) to “sign” and / or even encrypt documents or messages (email). This gives the person who receives the message a little more assurance the message is from who they think it is from or in the case of encryption, the message was encrypted and sent from the person who they think it was sent from.
Several services online offer free S/MIME Certificates however most free certificates have a big issue you have to be aware of…there is no verification involved. The only requirement to obtain a free S/MIME Certificate is proof that you own the email address you want to use the certificate with. For example, let’s pretend I use Yahoo to obtain a free email address for Bill Gates (email@example.com). I could then use that Yahoo email address to obtain a free S/MIME Certificate and send email that appears signed and sent from Bill Gates!
To prevent issues like that from occurring, one can obtain a verified S/MIME Certificate. This process involves verifying the owner of the certificate through items like government issued picture identification and actually talking to the certificate holder in person. Receiving a message from Bill Gates that has been verified by Microsoft is much more convincing then receiving a message from Bill Gates who obtained a free certificate using his Yahoo address. I think the Yahoo version of Bill sent me an email a few months back offering $1,000,000 if I opened the attached picture (I passed).
This weekend I became verified through StartSSL and joined their Web of Trust as a notary. The process involved sending in a copy of my government issued picture identification and later receiving a phone call from them to verify who I was and which documents I had sent in. As a Web of Trust notary, I can verify other user’s certificates to help add credibility to them. I feel better now that I’ve been verified to actually be me (sarcasm). On a serious note, if anyone needs help with the process don’t hesitate to contact me.