TIPS & BEST PRACTICE 15. DEC 2017
What is the difference between certificate signatures and email signatures?
Algorithms for email signatures are not
necessarily the same as certificate
signature algorithms.
In cryptography, signatures play various roles. In the discussion on signature algorithms, it is absolutely necessary to clarify the context. When it comes to email encryption and signatures, differentiating these two signatures, certificate signatures and email signatures, is paramount. Therefore, we have compiled the facts of the matter here:
A certificate signature displays the algorithm with which the issuing certification authority has signed the certificate
The algorithm the certification authority uses to sign the certificate is displayed on the “signature algorithm” field, and cannot be altered. The certificate signature does not influence the algorithm with which emails with this certificate are encrypted and signed.
The email signature is determined by the signature algorithms offered by the software with which the email signature is set
For signing emails, the signature software uses the sender’s private key, applying the signature algorithm set for this particular addressee. The addressee checks the email signature against the sender’s public certificate. It makes no difference which algorithm was used to sign the certificate.
S/MIME certificate algorithms on the German energy sector as of January 1, 2018
Market communication certificates
A December 12, 2017 update of the Federal Association of the Energy and Water Industry (BDEW) market communications guidelines has pushed back the regulation requiring all newly issued certificates to be signed with RSASSA-PSS until January 1, 2019. Until this date, certificates issued by certification authorities can be signed with the RSASSA-PKCS1-v1_5 signature algorithm (For more detailed information see German-language EDI@Energy regulations). On the other hand, January 1, 2018, the date set for adapting S/MIME algorithms to email signatures remained valid, the designated adapt signature algorithm being RSASSA-PSS. In compliance with these regulations, email signatures may also be issued with certificates the certification authority signed with RSASSA-PKCS1-v1_5.
EDI@Energy market communication participants read on here: Market Communication in the German Energy Sector.