Personal digital identities for encryption and signatures

Permanent Link: topicbacklinks

Overview

The institut offers digital identities via a third party that can be used for
  • receiving encrypted emails
  • digitally signing emails
  • digitally signing documents

Important facts in a nutshell:
  • Digital identities are basically large random numbers, digitally signed by someone that lots of programs trust implicitely.
  • Whoever knows the random number, is able to act as you.
  • Digital identities are stored in ".p12" (short for PKCS in geek terminology) files which are protected by a password.
  • Whoever knows the password and owns the file, knows the secret random number and can act as you!
  • Digital identities are valid for three years and have to be re-requested afterwards.
  • Digital identities require an email application and cannot be used in the Zimbra web interface. Explanation

If there's a chance that someone else is in possession of your digital identity, topicbacklinks revoke it yourself or contact IT immediately ! The identity can be invalidated centrally. You can then request a new one.

FAQ

Expand all Collapse all

How to apply for a digital identity


Permanent Link: topicbacklinks

  1. Usually there's price tag on personal certificates. However, the MPG's Internet provider issues certificates for institute directors and staff for free.
  2. Please write a Ticket to request one.
  3. You'll receive an invitation URL via email that looks like this: https://cert-manager.com/...
  4. Continue reading...


Back to FAQ start

How to download the digital identity?


Permanent Link: topicbacklinks

  1. Go the the URL you received—it looks like this: https://cert-manager.com/...
  2. Fill in the required fields:
    • Certificate Term Like most identification cards, a digital identity will expire at some point. You may select up to three years of validity.
    • Key Type Strength of the encryption. RSA-2048 is OK, RSA-4096 is for very security conscious people.
    • Please ensure that there are no typos in your name.
    • PKCS#12 Password : Choose a strong password for your digital identity file (".p12")
      • You won't have to use it often. Chose a complex one.
      • Write it down on paper!
      • Loosing your password means that you'll be unable to read encrypted mails sent to you that you have not decrypted, yet.
      • Writing it down twice is a good idea. IT is unable to break this password.
    • [ ] I have read and agree... The long text basically says, you have to keep the digital identity safe and revoke it immediately, if someone else (e.g. an attacker) got hold of it.
  3. Download the .p12 file and store it at a secure location—preferably offline (on a USB stick or a USB hard disk).
    • Make sure to have more than one copy of this file.
    • If you loose access to this file, consequences are:
      • You'll no longer be able to decrypt data that was encrypted for you (e.g. emails). IT is not able to break this encryption!
      • You can no longer sign emails and documents. This can be solved by requesting a new digital identity.


Back to FAQ start

How to use the digital identity?


  1. Import the .p12 file into applications you want to use signatures and encryption in. Examples:
    • Thunderbird, Applemail, ... (for signing emails and receive encrypted mails)
    • PDFXchange, Adobe Acrobat (for signing .pdf-Files)
  2. Using the digital is specific to the app—e.g. Thunderbird requires you to select the identity in the mail accounts preferences before it can be used.


Back to FAQ start

How do I sign PDF files?


Permanent Link: topicbacklinks

Please use PDF X-Change for that. This program is installed on CentralWindows / RemoteWindows . Adobe Acrobat Pro (tested with version 2024.002.21005) is unable to import digital identities for unknown reasons.

Back to FAQ start

Why can't I use my certificate in the Zimbra web gui?


Permanent Link: topicbacklinks

Using a digital identity means handling a secret key. It is presumed that whoever is in possession of the key is the one to whom the digital identity is assigned to.

If a web service (like the Zimbra web GUI, OWA, GMX Mail app, ...) would allow you to handle this key, it would mean two things:
  • The secret key must be under control of the the web GUI—which means under control of the web server providing the web application. There are common techniques of breaking into running sessions of web application users and therefore stealing the secret key.
  • A potentially huge number of digital identities would be stored at a single place running a complex piece of software (which a web application is). From an attacker's point of view, this would dramatically increase the incentive to compromise such a system. An attacker would be able to steal a lot of digital identities with some small changes to Javascript files delivered to end users.

This is a problem shared by all mail web applications. While it is technically possible to handle certificates in a web GUI, that would contradict the trust you want people to have in an electronic signature of yours and in the fact that encrypted mails sent to you can only be read by you.

Back to FAQ start

This topic: EDV/FuerUser > WebHome > CertificateManagement
Topic revision: 25 Oct 2024, Burk2
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback