Security and certificates

How can I secure my transactions?

One of the strongest characteristics of Internet is its dispersion; instead of using a central server, each user is continuously changing the server she is talking with. It causes two problems:

1. confidentiality of exchanged data;
2. authentication of the server and of the user.

The second problem also exists when two Internet users want to exchange information, using e-mail for example.

Public key cryptography allows both to sign documents, to be able to guarantee their source and their integrity, and to encrypt them so that they can be decrypted only by the one who owns a given key. From that comes the problem of key validity: how can you guarantee that a key belongs to who you think it does?

Two mechanisms are available:

1. you can contact a certification authority such as Thawte to certify the identity of someone using X.509 certificates;
2. you can use a web of trust to recursively check the identity of your pal; this is how OpenPGP (including the GnuPG free software which implements this standard) works.

How can we progress on that?

I can certify your identity, be it using X.509 certificates or using OpenPGP.

OpenPGP key signing

I would be pleased to sign your OpenPGP key with mine (available from this page) using the following procedure:

1. Contact me (see how to do so) and we will schedule a short meeting.
2. At the meeting, bring an official photo ID, as well as a fingerprint of your OpenPGP key.
3. During the meeting, I will give you the fingerprint of my own key and let you check an officiel photo ID of myself, so that you can also sign my OpenPGP key.

After we do that, people who decide to trust me will believe (and they will be right to do so) that the key I signed really belongs to you.

X.509 certification

Thawte set up its own web of trust, thus using a mixed model: some users have their identities certified by Thawte, then they become notaries for this company. They can now give some points to other users after checking their identity. Those users, when they have enough points, will have their identity certified by Thawte. When a user has enough points, she can become a notary herself.

This is exactly what happened in my case: since I had my identity physically checked by four people, who were Thawte notaries, I got more than 100 points; this allows me to now certify the identity of other people myself.
If you are physically located in Paris, France, and want me to participate (for free) to your certification, do not hesitate to contact me. Please read first what to bring (in French). Also check the list of Thawte notaries in Paris, France.

How can I check a certificate?

A certificate delivered by Thawte will be automatically checked by most e-mail clients and WWW browsers. Thawte is one of the certification authorities that are considered as safe by browser and e-mail clients vendors, and every certificate they sign are considered as valid.

For a OpenPGP signature, the program you use (for example GnuPG) will try to make a connection between some keys you trust and the destination key.

Links

• Les joies de la cryptographie (in french)