8

I'm considering getting an S/MIME certificate that verifies my name and email address. I've been trying to ascertain what information "leaks" if I do.

The Wikipedia page on S/MIME says:

Depending on the policy of the CA, the certificate and all its contents may be posted publicly for reference and verification. This makes the name and email address available for all to see and possibly search for. Other CAs only post serial numbers and revocation status, which does not include any of the personal information.

What exactly is this referring to? CRL's? Or does that seriously mean that some CA's have some sort of public interface for searching for issued certificates and the information contained in them?

And how do I even find out what a given CA's policy is? I learned about Certification Practice Statements and Certificate Policies and read my chosen CA's ones, but they do not contain this information (or I failed to find it).

My name and email address are hardly secret information, but I do not want them becoming publicly searchable. Of course the public certificate itself would contain them.

To be specific, I'm looking at GlobalSign and their PersonalSign 2 certificates. Yes, I did contact their support but they did not respond (at least yet).

lume
  • 81
  • 1
  • 1
    Guess why S/MIME is used not so much. For email use, especially only personal level, S/MIME is IMHO too much effort and has side effects. The basic flaw of certificate-based encryption/signing is that you have to fully trust the CA. Fully means fully, and there were some cases already where CA´s used the data of people against policies or were hacked etc. for https and other SSL traffic it seems currently unfeasable to switch to a more decentralised trust system, but for email consider PGP as it does not require this high level of trust. – flohack Nov 19 '15 at 16:20
  • Possibly a mistaken application of https://www.certificate-transparency.org/ for TLS certificates which are mostly from the same CAs? – dave_thompson_085 Nov 22 '15 at 02:03

1 Answers1

1

FWIW, I reviewed their CRL and OCSP information and a user agreement. Here's what I was able to determine.

The UA states they have the right to revoke your certificate for any number of reasons out of your control and also if you ask for revocation. Normally, they'd never revoke a cert without the owner asking, so most likely this is a low probability event. If you revoke it, it's because it was compromised and then it will be on a revocation list somewhere.

Why is revocation important?

Because this is the only case I could think of in which your cert has some public profile.

CRL - Certificate revocation list - contains a list of cert IDs, not the original certificate.

OCSP - online certificate status protocol - allows realtime queries for current cert status. However, you need the cert ID to do the query.

In neither of these cases can someone get all information embedded in the cert. So, no exposure of email address through these.

Also, it looks like they have an enterprise product for which a company can run its own sub-CA, for employees. I didn't study this product, however, it's possible that it contains a "public" database of certificates feature. Since that's the equivalent of an internal phone book for employees, it wouldn't surprise me.

Although you might want to continue questioning their policies regarding publishing of certificates in general, I couldn't find anything that looked like what you mention in your question. Publishing issued certificates is an unusual practice for any Certificate Authority.

I'd say this is one of those cases in which Wikipedia may have misleading information.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Andrew Philips
  • 1,411
  • 8
  • 10