When to consider using domain certificates for email encryption
Tips & Best Practice | 17. NOV 2016
We are always being asked about the possibilities of using domain certificates in email encryption. In this article we will attempt to clarify the situation.
Zertificon Solutions’ domain certificate for mail encryption
search result at Z1 Global TrustPoint
Domain certificates, also known as gateway or organisation certificates, are usually issued in the name of a company or organisation – a legal person, in other words. A user or personal certificate on the other hand is always allocated to a natural person. There is no technical difference between the two types of certificate.
(General principles on the subject of certificates can be found in our white paper “Secure email in times of rising mobile communication”.)
So you’d think it would be reasonable to assume that a company with 500 employees could simply use a single domain certificate for its email encryption rather than 500 personal certificates. It sounds efficient and would seem to make commercial sense, but in practice the use of domain certificates is often less than straightforward.
S/MIME domain certificates can trigger error messages for the recipient
Some email programs – such as MS Outlook – and webmail providers can’t process S/MIME domain certificates. In the validation check of the certificate, the email address in the certificate is compared with the sender’s address – but a domain certificate only contains a central email address, not a personal one. Email programs therefore reject encryption with domain certificates; the certificate is not recognised as being valid for the recipient’s address. Problems can also occur during signature validation, causing the communication partner unnecessary hassle and wasted time spent finding a solution to the problem.
Against this backdrop we await with interest the latest developments and suggested solutions in the wake of the new eIDAS regulation, which explicitly provides for the introduction of corporate seals.
Domain certificates work well with gateway-to-gateway encryption
The use of gateway certificates is only worth considering if the counterparty also uses a gateway for its encryption and signature. However, both communicating partners should agree to work with domain certificates and configure the gateways accordingly. In communications between two Z1 SecureMail gateways all relevant information is exchanged automatically between the Z1 products, so in this case you can use domain certificates with no problems at all.
If using the Z1 SecureMail Gateway, you can of course also combine gateway certificates with user certificates in the standard S/MIME protocol. The gateway will always use the best solution for the relevant communications partner.
Domain certificates also recommended for OpenPGP
It is very easy to work with domain certificates when using the OpenPGP standard in conjunction with a gateway. OpenPGP validation is not concerned with matching the email addresses of the certificate and sender. In principle, the trust model makes it unnecessary to roll out OpenPGP keys for every individual employee when using a gateway.
Domain certificates and end-to-end encryption
Naturally, employees of a company can’t encrypt amongst one another with the same domain certificate. Yet domain certificates can in fact be used in combination with Zertificon’s Organizational End2End. Allow us to explain…!
Just get in touch!