Chapter VI

Key servers, certificates and authorities

There is an element of our configuration we have not talked about yet.

We’ve mentioned, that in order to facilitate sending encrypted email one needs to hold the peer’s public key. This is always true. However, we have only mentioned one way of receiving this key, that is, receiving it through an email from the peer.

What we would like to achieve at this point is the ability to announce to the world that our encrypted communication is online. We want to achieve it without explicitly sending the public key to everyone who wants to use it.

Here’s a confusing concept. In order for everybody, whom we know, or whom we don’t, to use our public key for encrypting emails (to us), we need to send our public key to one place only, a key server.

Key servers

A key server is in fact a repository, a database of public keys. Those are typically identified by their ID and by the email address to which they relate. This relation is quite simple. To encrypt an email to a given email address, encrypt it with the key identified by this email address.

Now, this database is in fact a website (from our point of view that is), like this one: . One can access it with a web browser and interact with it to send their own public key or to extract one. But a web browser access is not that practical for us. We would like something more handy.

Good news it that we already have everything in place. When you installed Enigmail plugin to your Thunderbird, you’ve equipped your system with a tool that allows to extract public keys (and send yours) from a key server. In Key management section of the plugin configuration you can see a menu entry called Keyserver


When you click on it you can see a few options, one of them being Find a key. The system will ask you for an email address (of a person you want to send an email to) or the key ID and will search its database for it. If found, you’ll be able to download and import this key into your encryption system.

By default Enigmail comes with a short list of key servers already configured for you. These are public key servers, where anybody can upload their key. For private use you do not need anything else.


In a professional environment the local IT policy might lead to a creation of a private key server that holds the keys for the employees only. In such case, such a key server needs to find its way into this configuration.

Certificates and Authorities

When talking about authorities we’re not going to think about government. In fact we’re flying above those now. A Certificate Authority (CA) is an Internet entity (you can loosely call it a company) whose job is to confirm an identity. You interact with those if you want to buy a certificate for a HTTPS site or when you want to have a global confirmation of your identity that is related your private and public encryption keys.

One thing wort mentioning… again. These entities exist above any governments. The authentication they provide is independent. They are also a fantastic source of revenue. In other words, it’s not all that good-for-the-people initiative. It’s business. And they work hard to keep the business going. Sometimes when visiting HTTPS websites, your browser warns you about the inability to identify the website. The reason is that your browser can not find an identity related to a key used in creating the encrypted channel between your browser and the web server, in any of the known CA’s. You can ignore this warning. But again, it’s business, so these days, modern browsers make it harder and harder for you to do this. Mostly through unclear and intentionally overblown statements about a danger of visiting such a site. Then a button or a link allowing you to ignore them is tiny and named with something confusing, like “I’m suicidal, I want to go ahead and visit this site”.

You come across this subject in encrypted email communication, too. When you receive a signed email, your Thunderbird will tell you that a signature is Bad or Unauthenticated. The reason is described above. But here again you can ignore the warning and authenticate the signature yourself using a button on the right-hand side of the information about the signature.

The notion we’re talking about here is called self-signing. This site’s certificate and encryption key are both self-signed. This means, that I generated them, installed and never requested a CA to confirm my identity or the one of the domain.

Instead of using Enigmail to generate your encryption keys, you can use one of the CA’s like DigiCert to create them for you. They’ll come with a certificate. Your identity will first undergo confirmation. Most likely you will be contacted to provide some additional information, like the tax id. Once this process is finished DigiCert will generate the keys for you and allow you to download them and import to Engimail. You’ll have an annual fee to pay for the certification to be maintained. The upside of using keys generated this way is that when you sign an email, your identity is considered true and authenticated on the receiving end automatically.

End of Chapter VI