"Vadim Rapp" <nospam@sbcglobal.net> writes:
> I have a personal email signing certificate from Thawte. The certificate is
> issued in my name. The certificate is installed in the system.
>
> If I look at the certificate from Internet Explorer
> Options/Content/Certificates, or from MMC, I see two purposes of the
> certificate: "proves your identity to a remote computer" and "Protects email
> messages".
>
> But if I send an email signed with this certificate, and then look at the
> certificate already in the email (sent or received - same thing), I see only
> purpose "Protects email messages". Same in Outlook and in Outlook Express.
>
> Why I don't see "proves your identity" purpose in the certificate in email?

asymmetric key cryptography is technology where a pair of keys are
required for encoding and decoding (vis-a-vis symmetric key where
the same key is used for both encoding and decoding).

public(/private) key cryptography is business process where one key (of
asymmetric key pair) is kept confidential and never divulged (private
key) and the other key (public) is freely distributed.

digital signature is a business process that provides authentication and
integrity. the hash of a message is encoded with a private
key. subsequently the hash of the message is recalculated and compared
with the "digital signature" hash that has been decoded with the
corresponding public key. if they are equal, then the message is
presumed to not have been modified and was "signed" by the entity in
possession of the specific "private key". If the hashes are not equal,
then the message has been altered (since "signing") and/or originated
from a different entity.

over the years there has been some amount of semantic confusion
involving the terms "digital signature" and "human signature"
.... possibly because they both contain the word "signature". A "human
signature" implies that the person has read, understood, and aggrees,
approves, and/or authorizes what has been signed. A "digital signature"
frequently may be used where a person never even has actually examined
the bits that are digitally signed.

a digital certificate is a business process that is the electronic
analogy to the letters of introduction/credit for first time
communication between two strangers (from sailing ship days and earlier)
.... where the strangers have no direct knowledge of each other and/or
don't have recourse to information sources about the other entity.

there was work on generalized x.509 identity digital certificates nearly
two decades ago. the issues, by the middle 90s, was that most
organizations realized that such identity digital certificates,
represented significant privacy and liability issues. As a result, there
was significant retrenching from the paradigm.

In part, the original scenario was electronic mail from the early 80s,
where somebody dialed up their electronic post office, exchanged email
and then hung up. There could be significant problem authenticating
first time email from total stranger (in this mostly "offline"
environment).

Digital certificates had started out with a fairly narrowly defined
market ... first time communication between strangers w/o direct
knowledge of each other (and/or recourse to information about the other
party). Realizing that generalized identity certificates represented
significant privacy and liability issues, resulted in retrenching and
further narrowing of the target market. The increasing pervasivensss of
the internet and online information sources further narrowed their
target market and usefulness (since there became lots of alternatives
for information about total strangers).