Digital ID Frequently Asked Questions

UTHSC-H Digital IDs

Digital ID FAQ
Questions and Answers about Digital Ids, signing and encrypting email, authentication and mail clients

I received an email that shows that the signature is invalid, what do I do?
I received an email from someone I know but there is an attachment that I am not expecting and the message is not signed, what do I do?
What can I use my DID for?
When is using a DID mandatory?
How do I apply for a DID?
Where can I store my DID?
How can I obtain a Token and Token software?
How can I verify that an ID has been imported properly, and check what functions it is valid for?
What is the role of the DID in VPN?
I am having problems applying for a DID with Windows XP how do I resolve it?
What settings/configurations in the Outlook and Netscape clients that affect digitally signed messages?
Outlook 2000 only allows me to sign the email, not encrypt it?
When switching to Outlook 2000, I am no longer required to put in a password to sign or encrypt emails, how do I secure my mail DID?
I was told that Netscape 6.2 or 7.0 versions have no implementation for DID, is that true?
One of my clients wants to use his UT issued DID to sign/encrypt his ISP provided email, how is this achieved?
Why is it that some people cannot view encrypted messages?

Q? I received an email that shows that the signature is invalid, but the message's address is from someone I know, what do I do?
A. An invalid signature can be caused by a number of different failures, such as an expired certificate, an untrusted certificate, a forged message or altered in transit. Regardless of the reason, if the signature is invalid, the message content and the identity of the sender should be considered unreliable.
Q? I received an email from someone I know but there is an attachment that I am not expecting and the message is not signed, what do I do?
A. An unsolicited or unexpected message from a known person that contains an attachment should signal an alert. This is especially true when the message is not digitally signed. If the message is Digitally signed, it will be safe since applications do not have the ability to sign messages as an individual and any attempt to sign as the individual would result in an invalid signature. Similar to an invalid signature, the contents of the attachment in this case should be considered untrustworthy.
Q? What all can I use my digital ID for?
A. A digital ID can be used for signing or encrypting email messages when the recipient needs any level of assurance that the sender is not being impersonated, the message can only be read by the recipient or where an application requires strong authentication i.e.

Signing

Messages to SDR regarding an employees pay.
Messages to employees regarding unusual requests.
Messages to support personnel regarding requests for password changes.

Encrypting

Messages containing data that is mandated by law to be obscured in transit i.e. Patient Identifiable Data (PID).
Messages that should only be read by the recipient (employee reprimand, request for personal raise, information to and from HR regarding salary, passwords).

Applications

Web based resources that should be strongly authenticated such as online password change forms.
Web based applications that reveal an individual's sensitive information such as payroll, grades, restricted personal information.

Q? When is the use mandatory, and when is it optional? Do these answers vary whether I'm student, staff or faculty?
A. The use of a DID is mandated in policy for certain activities, common sense and particular applications. Policy states that DIDs should be used to encrypt any information that is considered confidential or sensitive. Signing is required by internal policy, state and federal laws and for certain procedures and applications. Since a DID has multiple uses with varying requirements, most of policies and rules for use rely on the use of common sense and user awareness.
Q? How do I apply for a digital ID?
A.Digital IDs at UTHSC-Houston and information on how to acquire them are located online at http://www.uth.tmc.edu/netcenter/middleware/digital-id/id-get.html
Q? Where can I store the ID, and how do I import and export the ID to the desired locations?
A. Once a DID is obtained, it is initially stored on the computer where it was originally applied for. The Public/Private key pair and Certificate can be exported as an encrypted file by using utilities provided by the browser vendor. This file can then be imported into other machines, stored on a floppy for backup or onto a token for portability.
Security Alert: No one should have access to this backup except you! Therefore, your backup should never be kept on a shared network drive or even your own personal PC! Use a floppy disk or CD and keep this in a secure physical location for maximum security!
Details for importing and exporting to and from the most common browsers are available at http://www.uth.tmc.edu/oac_docs/trust/export-import.htm
Q? How can I obtain a token and corresponding software, and when should I use this token?
A USB token is a physical device that can plug into a computer's Universal Serial Bus (USB) port. These tokens have a number of uses most are application specific. You can use a USB token to store your DID on to make it more portable. Presently, tokens are issued by departments and schools who have mandated their use. If you are in one of these departments, check with your Lan Manager.
Q? How can I verify that an ID has been imported properly, and check what functions it is valid for?
A. Once installed or imported, the easiest way to verify that your DID is working properly is to send yourself a signed and then an encrypted message. Each mail client is different in terms of how they display a signed or encrypted message, but most provide some type of icon in the message that provides this information, look for a lock icon, pen icon or certificate ribbon icon and double click on them. If you are using Netscape mail client, the installation and functions are automatically set in the client and no additional settings are required. If you are using Outlook or Outlook express, there are an extensive number of choices that can differ depending on the version, type as well as mail server and will require someone with a technical background to assist you. If you are using Outlook, Outlook Express or Exchange, you should contact your lan manager for specific support.
Q? What is the role of the digital ID when I use VPN?
A. The DID is used for strong authentication when using Virtual Private Networking.
Q? I'm having trouble enrolling for an ID from an XP Pro workstation.
A. This is an issue with the Verisign Onsight Software. The problem should be resolved once we have installed the latest version. The work around is to apply with Netscape and import the certificate into XP.
Q? What settings/configurations in the Outlook client and Netscape client affect digitally signed messages and what recipient e-mail clients have issues with these certain settings.
A. Once correctly configured both Outlook and Netscape seem to behave well with DIDs when sent between the users using the same client. We have identified a number of configuration knobs in Outlook that can cause problems when sending mail to people with Netscape or other mail clients. Training information for Outlook is available at http://is.hsc.uth.tmc.edu/exchange/training.htm
Q? I used Outlook 2000, it only allows me to sign the email, not encrypt email. The error is: the following recipient does not have valid Digital Identification. But I can decrypt the coming encrypted emails without problem.
A.In order to send an encrypted email message in Outlook, the recipient's public key must be accessible to the mail client. Outlook requires some specific configuration changes to allow you to access other users public keys. There are a number of methods to accomplish this including manually loading each users certificate into the local contact list or configuring the client to use the certificate store in LDAP (White Pages). The latter requires registry changes, replacing some dlls and setting up Outlook to point at the LDAP.
Q? One of my clients used Outlook 98 and it functioned well. When he switched to Outlook 2000, it never asked him to put password before sign/encrypt emails.
A. This is default behavior in Outlook and is NOT recommended. The user will need to export their DID WITH the private key, delete it from the Microsoft Certificate Store and then reimport the DID choosing Strong Protection for the Private Key store.
Q? Most OAC people use Netscape 4.x to implement Digital ID to sign/encrypt emails. I was told the 6.2 or 7.0 version has no implementation for Digital ID. Is that true?
A. Netscape 4.79 was the last older version to fully support DIDs. This product is still supported by AOL the new owners of the Netscape Client. Netscape 6.X developed by AOL does not have full support for DIDs and this product has been deprecated and replaced by Netscape 7.X which does support DIDs.
Q? One of my clients wants to use UT issued Digital ID to sign/encrypt his ATTglobal email account, how to achieve it? Do we need to have the mail server information then configure the Netscape or Outlook to this email account?
A. The UT digital ID is rooted in a Public CA, so this should not be a problem as long as he accesses his mail with a client that supports X.509v3 certificates. You will need the mail server information to configure the client in either client. The certificate can be used in multiple profiles on either client.
Q? Some people cannot view encrypted messages. We do not know why. The solution is to remove the ikey and just you the digital ID in the Netscape security environment.
A. This was noticed and documented in earlier installations of the Ikey software and seems to be related to having the certificate installed prior to the Ikey software. The newer version of the Rainbow Cryptographic Module seems to have addressed some of these issues. We have found that removing all certificates prior to installing the Ikey resolves this issue.

Digital ID Home Page