Personal:-
Sign your Email with personal certificates
Enterprise:-
Secure Your Web server
Secure your Mail Server
Industry Solutions
Home  
 
About Us  
 
Contact Us  

Protect Your Digital IDSM; Protect Your Private Key


Frequenty Asked Questions

Digital IDs make use of a technology called public key cryptography. During the initial enrollment process for obtaining a Digital ID, your computer creates two keys: one public, which is published within your certificate and posted within VeriSign's repository, and one private, which is stored on your computer. VeriSign does not have access to your private key. It is generated locally on your computer and is never transmitted to VeriSign. The integrity of your certificate (your "digital identification") depends on your private key being controlled exclusively by you. IT IS YOUR RESPONSIBILITY TO PROTECT YOUR PRIVATE KEY. ANYONE WHO OBTAINS YOUR PRIVATE KEY CAN FORGE YOUR DIGITAL SIGNATURE AND TAKE ACTIONS IN YOUR NAME!


How is my private key protected?

How should I protect my private key? What is a "good" password?

I use Netscape 3.X, where do I enter the password that protects my private key?

I use Microsoft Explorer 3.X. Why didn't it ask me for a password when I generated my key?

I saw a form on a web page that asked for my Netscape (private key) password. Why do they need it?

Where does my computer store my private key?

I need to use my Digital ID at home and at work. Can I safely move my private key and Digital ID from one computer to another?

Can I change my private key password without getting a new certificate?

I forgot my private key password, can someone change it for me?

No one can help me if I forgot my password. That doesn't sound very friendly. Why?

Someone stole my computer. Do they have my certificate's private key now?

Someone stole my computer and I elected to NOT password-protect my certificate's private key. What do I do now?

I rely on my Digital ID for very confidential communications. Is there any way I can further protect my private key?

Q: How is my private key protected?

A: Your private key can be protected in three ways:
  1. It is stored on your computer's hard drive so you can control
    access to it.

  2. When you generate your private key, the software you use (such as your browser) will probably ask you for a password. This password protects access to your private key. For Microsoft ExplorerTM users, your private key is protected by your Windows® password.

    A third party can access your private key only by (i) having access to the file your key is stored in (which is usually part of your system's configuration information) and (ii) knowing your private password. Some software permits you to choose to not have a password protect your private key. If you use this option, then you are trusting that no one, presently or in the future, will have unauthorized access to your computer.

  3. Optionally, you may choose to store your private key on a physical token (for example, a smartcard). This provides an additional level of security since the token (and thus the private key) is intended to remain in your possession at all times. This option can replace storing the private key on your computer's hard drive.

    In general, it is far easier to use a password than to completely safeguard your computer physically. Moreover, tokens usually require a password for access. Not using a password is like pre-signing all of the checks in your checkbook and then leaving it open on your desk.
Q: How should I protect my private key?

A: Protect your computer from unauthorized access by keeping it physically secure. Use access control products or operating system protection features (such as a system password). Take measures to protect your computer from viruses, because a virus may be able to attack a private key. Always chose to protect your private key with a good password.

Q: What is a "good" password?

A: A good password is one that is long enough and unusual enough that an exhaustive search (such as by using a dictionary) is not likely to reveal it. A good password is easy for you to remember but difficult for someone else to guess. Use a password of at least eight characters. Do NOT use something obvious or easily traceable to you, such as your telephone number, birth date, or the name of a member of your family. Do NOT use an ordinary English word, a familiar jargon term, or a password that you have previously used. If you write down your password, do not store it in an easily accessible place.

Q: I use Netscape 3.X. Where do I enter the password that protects my private key?

A: Netscape refers to your private key password as your "Netscape Password." Netscape will prompt you when the browser requires you to enter it. Note: You should *never* enter your Netscape Password in a form retrieved over the Internet. Only enter it on local generated Netscape dialog boxes.

Q: I use Microsoft Explorer 3.X. Why didn't it ask me for a password when I generated my key?

A: Microsoft Explorer protects your private key with the Windows log on password, not with a separate password.

Q: I saw a form on a web page that asked for my Netscape (private key) password. Why do they need it?

A: They DON'T. Never provide your private key password to anyone. No legitimate business ever needs to know this information.

Q: Where does my computer store my private key?

A: Your private key is typically stored in encrypted format in a Preferences or Configuration file that can only be unlocked (decrypted) using your private key password. For example, for Netscape version 3.0 for Macintosh, it is stored in the Security sub-folder of the Netscape folder (in the Mac Preferences folder) in a file named "Key Database." Different programs may store your private key in different places.

Q: I need to use my Digital ID at home and at work. Can I safely move my private key and Digital ID files from one computer to another?

A: It is possible to move your key and Digital ID files from one computer to another, as long as both computers are running the exact same software. You may need to talk to your software vendor to see if this is possible with the applicable software. It is very important that you use a secure password to protect your private key if you intend to move the key from machine to machine.

Q: Can I change my private key password without getting a new certificate?

A: Yes. Your private key password encrypts your certificate's private key. You can change this password (thereby reencrypting your private key) using the program you used to create it. For example, with Netscape you can change your password from the "Passwords" dialog accessed from the Security Preferences menu. You should immediately change your password if you think someone else may have learned it.

Q: I forgot my private key password. Can someone change it for me?

A: No. If you have forgotten your private key password, no one can help you. You will have to generate a new set of keys and obtain a new certificate. Any secure E-mail message (S/MIME) encrypted using your public key will be effectively lost. In some cases you might also have to reinstall your E-mail software and web browser as well.

Q: No one can help me if I forgot my password. That doesn't sound very friendly. Why?

A: There is a trade-off between security and convenience. If there was some way for another person to recover your private key password for you, then he or she could steal it and use it for purposes you might not approve of. Certificates (Digital IDs) are still new, and not all of the features one might like to see are available yet. In the future it will be possible to save an unencrypted copy of your private key (so no password is required) on a floppy disk which you could then put in a safe place, such as a safe deposit box. Both Microsoft and Netscape are working on such a system. You could then use that floppy to recover your certificate's private key if you lose the password that normally encrypts it.

Q: Someone stole my computer. Do they have my certificate's private key now?

A: If you used a good password to protect your private key, then it is unlikely that the thief will be able to use your private key. However, you should still contact the CA that issued your certificate and request that it revoke your certificate and issue you a new one (with a new public and private key).

Q: Someone stole my computer, and I had elected to NOT password-protect my private key. What do I do now?

A: Immediately notify your CA that your key has been compromised. It will arrange to revoke your certificate and get you a new one. Note: Although relying parties should always check the revocation status of a Digital ID, some relying parties might not have done so. It is a good idea to inform anyone that may be affected that your private key has been compromised.

Q: I rely on my Digital ID for very confidential communications. Is there any way I can further protect my private key?

A: There are two types of hardware devices available that are more secure than your hard drive for storing your private key. These are known as tokens (typically PCMCIA cards or special floppy disks) and smartcards. Contact your software vendor to see if it supports these devices.
 
   
SiteMap |  Privacy Policy |  Disclaimer |  Repository
   Copyright 2002 SafeScrypt Ltd.