Security with Simplicity - with No Digital Certificates

Normally, email encryption demands that you (and your recipient) purchase and register a Digital Certificate with a Certification Authority.  This is a costly and time-consuming business, which is why, despite the overwhelming need for email encryption it is not widely taken up.

Crucially PTP's leading edge email encryption process does not need a Digital Certificate dramatically reducing set up time and admin costs-yet is just as secure!

As the saying goes, ‘if something is easy to use and it works-people will use it’

PTP’s goal is to be ‘lifetime unbreakable’ and is much safer than the systems we all use to access our bank accounts over the web-in fact PTP encryption is a trillion times stronger.

PTP uses Digital Signatures, but we don’t require you to purchase a Digital Certificate.

Digital Certificates
Software which uses Digital Signatures normally demands that you purchase and register a Digital Certificate. Why ? Because the authorities want your details ? Because its a profit opportunity for someone ? Can we trust any organisation to hold and control our Digital Signatures ?

Here are some problems with Digital Certificates:

1. What if the Certification Authority (CA) loses its secret key ?
2. What if the CA issues false certificates ?
3. Digital Certificates only work for a limited time before they expire
4. There are many CA organisations, which do you choose ?
5. The CA organisations are mainly commercial companies
6. They accept little or no responsibility for the certificates
7. They have certificate admin staff who come and go
8. Most CA structures are multi-level with a certificate chain
9. The impossibility of linking every certificate to an individual
10. The CA can impersonate anyone on the system
11.  What if someone steals your identity ?
12.  Digital Certificates are extremely difficult to revoke.
13.  Registering and using Digital Certificates is complex
14. Certification Authorities are companies which are bought and sold
15. Do you really want ANY organisation to hold your encryption keys ?
16. Who within an organisation can use their private key, anyone?
17. Your private key is held on your PC, what if it is lost or stolen?
18. Certification Authorities don't accept any liability for mistakes.
19. We have no idea how good their internal security structures are
20. Under what circumstances must they disclose your data to 3rd parties ?
21. The whole Digital Certification edifice is so complex its bound to go wrong

Basically, if the CA can be subverted, then the security of the entire system is lost.

Digital Certificates make the otherwise excellent RSA Public /Private key system over-complex, expensive and less secure.

Its amazing really that many people have chosen a Certification Authority and registered their information after seeing them on the web for the first time just a few minutes before.

All a Digital Certificate is trying to do is prevent impersonation. Encryption and Digital Signatures cannot stop someone pretending to be someone they are not. That job is supposed to be done by the Digital Certificate Authority, which is nothing more than a commercial company selling Digital Certificates.

For email security the only reason you would want a Digital Certificate is if you wanted to exchange confidential information with complete strangers. The Certification Authority is supposed to be there so that if John Smith sends you an encrypted and signed document you can check up on who John Smith is, more accurately which John Smith it is. In other words which John Smith owns the Digital Signature being used.

That is fine (though not without problems) in the case of a web site like Amazon. They do want to be able to exchange confidential data with complete strangers, viz your credit card details. Therefore they have a Digital Certificate. Next time you check out and pay on a website look for the padlock symbol. Click it and you can view the vendor’s complete Digital Certificate. Its complicated, and it has to be, they are collecting thousands of credit card details every day.

Now, its relatively easy for the Certification company to verify who Amazon is. It’s not so easy for an anonymous individual like John Smith. Do we trust them to get it right ?

At the end of the day it doesn’t matter, because in practice you don’t need to be able to exchange confidential data with complete strangers by email. The people you exchange confidential information with are going to be known to you. Therefore, who is in the better position to validate the identity of your email correspondents, an anonymous commercial company on the web, or you ?

With PTP you do not have to purchase, register and maintain a Digital Certificate, and neither do your correspondents. This is a major advantage in terms of both user convenience and security.

Why do Microsoft use Digital Certificates with their S/MIME encryption ? The reason is that Microsoft are so big and ubiquitous that the government authorities take a keen interest in any encryption tools they put out. That has to be an influence on the decision to use Digital Certificates which ultimately are under the control of the security services. They love the idea that everyone in the world using encryption has all their details and keys logged with the certification authorities. Unfortunately its not secure.