Here's how it works in a nutshell, the user creates a private key, typically in a browser, along with the public key in a certificate request. The cert request is sent off to be signed by a certificate authority. Once signed, the certificate is published and everyone can see it, hence, public key. The private key stays on the user's computer and never leaves.
When someone sends you an encrypted email, they encrypt it with your public key. You decrypt it with your private key. Only you possess the private key. You were issued a certificate with your public key. Businesses and government have the public key, they signed the cert, and the cert expires in a year, hence they are managed. They never have your private key.
“The private key stays on the user’s computer and never leaves.
When someone sends you an encrypted email, they encrypt it with your public key. You decrypt it with your private key. Only you possess the private key.”
In the above scenario, the company has your private key, too. You are using your company’s email infrastructure and they can block any attempt to use a key they don’t manage on your email.
In the circumstance we are all talking about, the employer has these things (the Government). That’s how they can see all of this.
This discussion, although a bit of a digression, is very interesting to me in relation to some projects I am currently working on.
What’s your understanding of the potential for ID theft and a resultant theft of PKI Public AND Private Keys?