Q. What is the difference between PGP and VeriSign? PGP can do key pair generation, key server services, encryption, decryption, digital signatures, and digital signature verification. But VeriSign can do the same things, too, both via Netscape Messenger and Outlook Express (as well as other software supporting this technology).
A. PGP and VeriSign are based on two different standards: OpenPGP (used mainly by the PGP software we got from www.pgp.com), and S/MIME (used by VeriSign, Microsoft, Netscape, and scores of others). Both standards are open, i.e., anyone can use them freely to design software based on them. S/MIME is the newer of the two, but is already more widely used.
The main difference between the two standards is in how the validity of keys is certified: in S/MIME, CA's (Certification Authorities) certify keys for users. VeriSign is one of them, Thawte another. PGP keys are validated via the so-called Web of Trust, whereby people who know each other certify each other's keys (by signing them), until eventually most keys one needs are certified by someone whom one trusts.
S/MIME is more suitable for the mass use, since PGP requires its users to decide whom they trust and how much, which really is too technical for most people.
Apart from VeriSign, an excellent CA is Thawte (www.thawte.com), which is free to individuals; they get revenue from companies.
For more information, read http://www.worldtalk.com/Standards%20and%20Tech/PGP%20and%20SMIME.pdf .
Q. Someone who takes advantage of VeriSign doesn't need PGP at all, right?
A. First of all, if one's friends use one of the two, one should use the same service for compatibility. Second, VeriSign isn't free, unlike PGP (but Thawte is free, despite being S/MIME). Third, one can set one's own degree of trust to different people's keys under the PGP system, which may or may not be beneficial depending on the person. Fourth, with VeriSign you have to ask your correspondents to sign up for the VeriSign service if you want to send them encrypted messages, while with PGP you have to send them the link to download PGP software (again, it may or may not be a benefit).
Q. Why doesn't VeriSign ask for PGP keys the user may already have?
A. VeriSign ignores PGP-generated keys, since those aren't compatible with S/MIME. However, Thawte can also certify PGP keys (it will be under OpenPGP standard).
Q. Who generates keys when you sign up for VeriSign?
A. The browser does that. If VeriSign were to do that, they'd have send the private key over the Internet, which is totally unacceptable from a security point of view. Moreover, the secret key should never be given to anyone else, not even to VeriSign.
Q. What do you see when you look at VeriSign certificate?
A. Apart from the obvious information, you see the Certificate ID, which is a unique ID assigned to each certificate, and the Certificate fingerprint, which is the fingerprint of the public key which is part of the Certificate.
Q. Can you see the public key that is part of your Certificate?
A. No, unless you export it to a text file. You don't need to, however; its fingerprint is enough.
Q. How is a Certificate is checked? Do you need a link to VeriSign for that?
A. No, both Netscape and Microsoft "know" the public keys of major CA's, including VeriSign. So everything is checked transparently inside the browser or email software without connecting to VeriSign.