All our signatures are themselves signed to produce our
digest-signatures, which are then subjected to third-party time
verification and simultaneously published on the internet on thousands
of independent servers.
To view your closest servers' copy of our most recently published digest-signatures, click news from the following list, or to view the published group messages
on the associated Google(tm) news archive, click Google:
alt.computer.security.web-of-trust (news, Google),
comp.security.pgp.announce (news, Google),
alt.security.keydist (news, Google),
gov.usenet.test (news, Google),
aus.net.mail (news, Google),
chi.mail (news, Google).
Click
here,
here, or
here
to view lists of other servers that also carry our digest-signatures.
The CertEmail public key for signature verification can be downloaded
from us here,
or retrieved from a number of worldwide keyservers,
including:-
keyserver.pgp.com,
pgp.nic.ad.jp,
pgp.cc.gatech.edu,
or you can go to www.openpgp.net to select a different
keyserver from a list - search using our KEY ID shown below.
What is a digital certificate?
A Digital Certificate is a statement of one or more facts, which is
rendered forgery-proof by a cryptographic algorithm. You can take any
electronic information (for example - an email) that is digitally
signed, and automatically verify the authenticity of the signature.
If the signature is forged, or any part of the information (eg: email)
has been altered, the signature will fail verification.
There are numerous products on the market that can verify digital
certificates, and many web sites providing independent certificate
verification services.
What is the difference between a certificate and a signature?
A certificate is just a group of facts, usually written in English - much like
any certificate you are used to seeing in the real world.
A signature - or in our case - a digital signature - verifies
that those facts have not been altered since they were made. Digital
signatures also contain the date and time they were issued, and some way to
identify who made the signature.
­ What do CertEmail digital certificates mean?
The digital certificates produced by CertEmail.cominextricably link the date and
time with additional facts, including one or more of:
the actual contents of an email
the header portion of an email
the delivery status of an email (aka. "DSN")
the opening status of an email, possibly also including:
the IP address(es) on which the email was opened
the apparent email address of the person openeing the email
the domain name of the computer used to open the email on
the email software used to open the email,
the computer operating system of the computer used to open the email
the browser version, features, and identification information of the computer used to open the email
indication by the reader of the email of their understanding of the email content
This means that anyone can verify a CertEmail.com digital signature
to irrefutably determine exactly when an email was sent, delivered,
opened, and/or acknowledged.
How do CertEmail certificates prevent forgery of dates and times?
All CertEmail certificates are stamped with the date and time they
were produced, together with a unique in-order serial number. All
certificates are sent out to the sender and/or recipient, and
additionally, the signature portions are published on our web site for
anyone to read at any time. CertEmail regularly produce an additional
signature-of-signatures (that is - we digitally sign a list of
preceding signatures, and produce a certificate to prove those
signatures exist at a certain point in time). We call these
"signature digests", and they are published in various locations on
the Internet, as well as also being digitally time-stamped by other
time-verification services.
Ultimately, every signature produced by CertEmail is inextricably
linked-in-time to every previous signature (by virtue of the in-order
serial number and the regular signature digests). The indelible
digital "paper trail" created by our constant distribution and
publication of serialized certificates and our publication of
externally time-stamped signature-digests makes it impossible for any
dates or times to be forged.
How do I verify a CertEmail digital Certificate? First, read the wording in the certificate so you understand what
satements of fact are being asserted. Next, verify the digital signature (the bottom part of the
certificate) to make sure no forgery or alterations have been made.
If you already have signature verification built-in to your email
software, follow their instructions to verify the message (usually,
you select Decrypt/Verify from the Tools menu, or click on one of the
padlock icons in the window)
If not, follow these steps:
Your certificate will be attached to either a TEXT or an HTML body
(such as an email). If you have a TEXT certificate (this will be
apparent because you will see the line:-
-----BEGIN PGP SIGNED MESSAGE-----
at the start) skip step 1. and start at step 2. below.
You first need to VIEW the SOURCE of your message.
From a web browser, you can select the View menu, and the
Source option.
Alternatively, Right-Click on the certificate, and select View
Source from the menu that pops up.
From an email program, either
- Right-Click on the certificate and
select View Source from the menu that pops up,
- or double-click (or right-click) on the email title, and select File, then
Properties, then Details, then click the Message Source button,
- or save the HTML attachment to a file, open the file in your web
browser, Right-Click on the certificate, and select View Source
from the menu that pops up.
If all else fails, try clicking on the certificate, then pressing
Ctrl-A to MARK the entire message, then Ctrl-C top copy it.
You will now have access to the raw signed message text and the
attached signature. MARK and COPY either the entire message, or at
least MARK and COPY everything from and including the beginning line marked
-----BEGIN PGP SIGNED MESSAGE----- up to and including the ending
line marked -----END PGP SIGNATURE-----
* If you have an encryption program (for example: PGP), select it's
Decrypt/Verify option (eg: in PGP, you click the Padlock, select
Clipboard, then Decrypt/Verify)
* Alternatively, PASTE you message into an on-line verification
service form, then click the Verify button. For your
convenience, we also provide this service below.
Read the status of your verification. If it reads GOOD or
VERIFIED, it will additionally show the date and time of
certificate creation. If it reads BAD or FAILED, refer to our
troubleshooting "What if my certificate fails to verify" section below.
What if my certificate fails to verify? How can I fix this?
Two things could be the cause of this.
Your email software has altered the original message in some way.
For example, it might have added ">" in front of every line,
wrapped long lines around or broken up the message formatting in
some way. It might have added warnings or copyrights or erased
links or performed some other action on your message that has
altered your message from its original format. You can manually
undo the alterations to re-verify, or you can request another copy
of the message. Most CertEmail certificates are duplicated, with
one copy being sent to a recipient, and a second copy being sent as
an attachment back to the sender. You can ask for the attachment
version to be forward to you, check that the signature serial
number and signature date, time, and pattern are the same as your
original message, then proceed to verify
the attachment (which will not be prone to alteration by your email
software, since it is an attachment to a message rather than just a
message alone).
The certificate may be forged or your email may have been altered.
View our site copy of your certificate (enter the serial number at
the end of this page) to check the date, time, and signature
pattern match the certificate you received. If they do not, you
have a definite forgery. If they do, it might be possible that the
sender attached an old certificate to a new email. Either way, the
certificate and what it states should not be trusted, nor should
the content of any message to which is was attached.