I just installed my free Comodo Certificate in Thunderbird e-mail to enable signing and encryption. This certificate seems to be used when I select the S/MIME option of signing or encryption. Please help me understand how others can find my Comodo public key (or digital signature?) in order to receive/send encrypted e-mail from me using this Comodo certificate. I know I can send them the signature in a direct e-mail. But is there a public repository or directory?
The reason that I am asking is this. I have been using Enigmail with OpenPGP. When I generate the key pairs, I can then publish the public key to a repository or directory where others can find it. This doesn’t seem to apply with my Comodo certificate.
As you can tell, I am new to signing/encryption and would welcome your assistance.
There is no repository etc.
The only way someone can get your public key is if you send them a signed email.
For more on email certificates please take a look at our Knowledgebase
should we really build a system like that?
Opinions would be welcome…
I may be wrong but the central repository for PGP is needed to vet the Web of Trust so adding that to the current certificates only to share a certificate will cause more costs but a marginal benefit.
Thank you for your prompt replies. They are very helpful. I have learned that I seem to be mixing two different approaches to encryption. One involves a CA. The other is more grass roots, or using others to certify your identity as you build your Web of Trust.
I do see, however, some advantage in having a central repository. If I am understanding this correctly, if one wishes to send to me an encrypted e-mail, they can search by my e-mail address and download my public key, and then send the e-mail. I can then decrypt it with my matching private key. The down side that I see with this is that I have to publish my e-mail address in the directory. I can only assume that this is an easy grab for the spammers.
It is an interesting question: do I wish to initiate encryption with another party by sending my signature, or do I wish that others initiate it by searching for my public key? If they take the time to search for my public key, then I guess they could just as easily send me an e-mail requesting my signature. But then they must wait for me to respond.
I am sure that as I gain experience with signing and encryption, the pros/cons of each approach will become more clear. The positive is that they both are effective and easy to use.
Thank you again for your assistance.
Secure Email Product we have solves the very problem you have rightly identified
“It is an interesting question: do I wish to initiate encryption with another party by sending my signature, or do I wish that others initiate it by searching for my public key?”
You can initiate encryption without knowing the public key of the receipient!!!